Bucket Policy allows for write access despite only having getObject in policy
Question
I am working on a Django application and uploading files through the application. I've connected my credentials correctly using django-storages and boto3 packages, and can upload a file through the application.
The bucket is owner enforced file ownership and my bucket policy should be read only yet allows for a file upload:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
I am on an IAM user with AdministratorAccess policy, but believed S3 policies to go with the most restrictive permission of the two.
I've double checked I'm working with the correct bucket's policy.
Does GetObject allow for file uploads as well? or something...
How can I be sure no stranger on the inte.net can modify my files?
1 answers
solution1
1 ACCPTED 2022-04-23 03:54:10
but believed S3 policies to go with the most restrictive permission of the two
Sadly it does not work like that. The Allow permissions are cumulative, so your IAM user can write to the S3 bucket, regardless of what the bucket policy says.
The only way to change that is to add explicit deny for writes to your bucket policy. This is because explicit Deny "always wins" over any Allow .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.