AWS S3: Can't get non-owned objects from bucket with public access (through non authenticated means)

0
votes

So here is the situation:

  • I have a Bucket B. It is owned by account A_1
  • This bucket has public read access on everything (through the bucket policy AND through the ACL. I put both just to try, with no result)
  • This bucket can be written into by account A_2, only with the bucket-owner-full-control ACL
  • The bucket is configured to serve objects through Cloudfront

--> Files uploaded by A_2 correctly give full control to A_1 when browsing in the S3 console

BUT - Cloudfront gets an access denied on the A_2 owned files (works well on A_1 owned files) - using the S3 web url, I can access the A_1 owned files (public ACL on the bucket) but not the A_2 owned

QUESTION: Why isn't the bucket policy applying to the files owned by A_2 on which A_1 has FULL_CONTROL?

NOTE - I was able to "circumvent" the problem by creating an access identity for my cloudfront and asking A_2 to specifically give read to the cloudfront canonical account ID but that's cumbersome.

Bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "Grant read access to the world",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my_bucket/*"
    },
    {
        "Sid": "Grant write access to other account user",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::8566072xxxxx:root"
        },
        "Action": [
            "s3:ListBucket",
            "s3:PutObject"
        ],
        "Resource": [
            "arn:aws:s3:::my_bucket/*",
            "arn:aws:s3:::my_bucket"
        ]
    }
  ]
}
1
amazon-web-servicesamazon-s3

1 Answers

2
votes

S3 access privileges are subject to three conceptually different sets of tests -- IAM principal (user or role), bucket, and object context.

If bucket and object owners are the same, access to the object can be granted in the bucket policy, which is evaluated at the bucket context. If the owners are different, the object owners must use an object ACL to grant permissions.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html

The bucket-owner-full-control canned ACL did not historically change actual object ownership, it only gave the bucket owner the ability to grant access to the objects with user and role policies -- not the bucket policy.

In 2020, AWS introduced a new feature called S3 Object Ownership which allows a bucket to be configured so that bucket-owner-full-control behaves more intuitively and automatically assigns object ownership to the bucket owner when that ACL is used during object creation.

This question was asked prior to the introduction of that feature, and the user policy was the reason the objects could be accessed in the console.

The bucket policy can explicitly deny access to objects not owned by the bucket owner, but it can't grant them.