stackoom
  简体   繁体   中英

My image in s3 bucket is accessible to public which is not supposed to be

 原文  2017-09-29 14:06:07       amazon-web-services/ amazon-s3

Question

I am facing a very strange issue which is either my lack of knowledge or a bug in aws s3 :

So I create an s3bucket which is not accessible to anyone in public and then I put an image in it. So when I try that image that is definitely no visible to everyone which is good.(So both my bucket and image have no public access) Then I added the following bucket policy to it: 

{
 "Version": "2012-10-17",
 "Id": "Policy1506624486110",
 "Statement": [
   {
       "Sid": "Stmt1506624421375",
       "Effect": "Allow",
       "Principal": {
           "AWS": "*"
       },
       "Action": "s3:GetObject",
       "Resource": "arn:aws:s3:::mybucketname/*"
   }
 ]
}

At this point based on my understanding all aws resources are accessible to this image but not any other people in the public. Strangely I see that people in public, any stranger can access this image. Can anyone explain what that bucket policy magically does that it make it available to public?

2 answers

solution1
 1 ACCPTED  2017-10-01 15:26:10

You're explicitly making your bucket public.

To grant permission to everyone, also referred as anonymous access, you set the wildcard, "*", as the Principal value. For example, if you configure your bucket as a website, you want all the objects in the bucket to be publicly accessible. The following are equivalent:

"Principal":"*"

"Principal":{"AWS":"*"}

http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html

The option of either using the "AWS" at the "beginning" (as the object key in a JSON object) or the bare scalar string "*" is presumably for historical reasons, one being an older or newer form than the other, but that doesn't appear to be documented. The object key refers to an authority type, with other documented values including "CanonicalUser" , "Federated" , and "Service" .

There are very few valid use cases for using "*" in a policy, unless additional condition tests in the policy are used to narrow the policy's scope.

Note also that the * is not a true wildcard, here. It's only a placeholder for "everyone." You can't use it in a principal to match a portion of an ARN. For example, "AWS": [ "arn:aws:iam:account-id:user/*" ] does not mean all IAM users in the specified account.

The best practice recommendation is not to use bucket policies when the desired action can be accomplished with user or role policies.

solution2
 0  2017-09-29 14:49:30

You should be specific to the principal. You can give multiple ARN's instead of '*'. You bucket policy generator to generate policy and specify which ARN you want in the principal. It would be worth read below link,

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3 bucket , uploaded image files are accessible only after setting individual object permission to public manually When using Public-Accessible S3 buckets, how are there not collisions with other Public-Accessible S3 bucket and object names? How to make my Object Image within my S3 Bucket Public in Python? Want to make public my AWS S3 bucket public? AWS S3 Bucket Accessible from my ElasticBeanStalk Instance only Difficulty of getting image from public S3 bucket? Access Denied making image public on s3 bucket Wget public s3 bucket Items in my S3 bucket are publicly accessible. How do I restrict access so that the S3 Bucket link is only accessible from within my app? in which region should I put my amazon s3 bucket?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM