AWS s3 cross account policy allowing public access

0

I'm having some difficulty locking down an S3 bucket that I must share across accounts.

I have no public ACL defined. "Everyone" has no options enabled. The console bucket list says "Bucket and Objects not public)

This is my policy (created using the policy generator): (I have changed the bucket name and principal ID)

{
    "Version": "2012-10-17",
    "Id": "Policy1554292781812",
    "Statement": [
        {
            "Sid": "Stmt1554292513566",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::0000000000000:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Sid": "Stmt1554292778889",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::0000000000000:root"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions"
            ],
            "Resource": "arn:aws:s3:::my-bucket"
        }
    ]
}

My expectation is that one other account (0000000000) has read access to list content and get objects from this bucket. No one else should have any access.

The 0000000000 account developers have started work on some code today to access files in that bucket. What is interesting is that they have not yet configured their own access credentials. So the client (IAmazonS3 C# client) is attempting to access the bucket without any authentication. They are able to list the contents of the bucket.

I can't see any file level permissions set on any files in those buckets.

If I try to access the bucket Cyber Duck for ease and using the account key for a separate test account, then I am met with an authentication error and denied access to the bucket - exactly what I expect.

Why can these guys access the bucket contents using a C# client without supplying their own access credentials? What have I missed?

Ian Bale

Posted 2019-04-16T07:23:04.740

Reputation: 1

I would use your S3 logs to verify that they are indeed not using credentials. My wager is that they are -- perhaps through environment variables or some other implicit mechanism. Anonymous requests should have Requester set to -. https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html

– Michael - sqlbot – 2019-04-16T18:03:41.610

Sensible idea! I've just turned on the logging. Will see what that shows me shortly... – Ian Bale – 2019-04-17T12:35:27.730

I was about to say that the logging was not working after waiting half an hour or so for any logs to appear after requesting files. But they have finally turned up... I can see their AWS account ID in there, so obviously they must have configured their own access credentials somehow... Thanks for the assistance. – Ian Bale – 2019-04-17T14:41:04.120

No answers

Asked: 2019-04-16T07:23:04.740

Viewed: 220 times

Active: 2019-04-16T07:23:04.740