Clever Geek Handbook

Non-User Restricted AWS User Access Policy for S3 Resource

sRuby 1.8.7 (yes I know it's ancient)
aws-sdk-v1 1.60.2
AWS S3

I am trying to restrict access to the S3 bucket so that only one user can read and write it.

I created the following permission policy and bound it to the IAM user, called UserX on them:

{
   "Version": "2012-10-17",
   "Statement": [
     { "Sid":"my_sid",
       "Effect":"Allow",
       "Action":"s3:*",
       "Resource": "arn:aws:s3:::my_bucket_name/*"
     }]
}

My expectation is that since UserX is using this policy, they will be the only user who can do anything with this bucket.

However, if I connect to AWS without credentials, I can write to this bucket without any problem. This is not what I want. I don't want anyone other than UserX to write to this bucket (or read from it, for that matter).

If I remove this policy from UserX then the default behavior is applied - neither a request (authenticated or not authenticated) to write works, which is what I expect.

This policy appears to allow access to all users, even if connected to UserX.

Here is the code (effective - the actual code in methods) I am using to do this:

For an unauthorized request (one that can write, but shouldn't be able to:

  s3 = AWS::S3.new
  bucket = s3.buckets[my_bucket_name]
  o = bucket.objects[aws_filename]
  o.write(:file => filename_on_local_system)

For an authenticated request:

  AWS.config(:access_key_id => AWS_ACCESS_KEY_ID,
             :secret_access_key => AWS_SECRET_ACCESS_KEY,
             :region => 'us-west-2')
  s3 = AWS::S3.new
  bucket = s3.buckets[my_bucket_name]
  o = bucket.objects[aws_filename]
  o.write(:file => filename_on_local_system)

I've also tried:

  • binding this policy to a group and assigning UserX to this group with the same results
  • creating a bucket policy to allow this user to write to it, which results in the same behavior
  • creating the same bucket policy in a different AWS account and getting the same behavior
  • using the s3cmd utility and getting the same behavior
  • instead of using the aws-s3 gem (but couldn't get a good request to migrate to AWS).

The AWS Policy Simulator seems to work, but since you can't tell which user is performing an action, it doesn't really help me debug this.

This is extremely frustrating. I think I might need to look into ACLs, although they are frowned upon.

Any help is appreciated.

Wes

+3


source to share


1 answer


The client software I was using was still collecting credentials from a config file (aws.yml), although I did not explicitly pass the credentials when configuring.

Thanks for the help.



Wes

+2


source






More articles:


All Articles