S3: User cannot access object in his own s3 bucket if created by another user

Question

An external user has access to our s3 bucket, using these actions in our bucket policy:

"Action": [
            "s3:GetObjectAcl",
            "s3:GetObject",
            "s3:PutObjectAcl",
            "s3:ListMultipartUploadParts",
            "s3:PutObject"
        ]

That user generated temporary credentials, which were then used to upload a file into our bucket.

Now, I cannot access the file. In the s3 UI, if I attempt to download the file, I get a 403. If I attempt to change the permissions on that object, I see the message : "Sorry! You do not have permissions to view this bucket." If the external user sets the appropriate header (x-amz-acl bucket-owner-full-control) when uploading the file with the temporary credentials, I can access the file normally. It seems strange to me that even though I own the bucket, it is possible for the external user to put files into it that I am unable to access.

Is it possible that there is some policy I can set so I can access the file, or so that I am able to access any file that is added to my bucket, regardless of how it is added? Thanks!

score 29 · Accepted Answer · answered Dec 03 '15 at 00:07

29

I believe you have to get the object owner to update the ACL or re-write the object specifying bucket owner full control. The simplest way to experiment with this is using the CLI:

aws s3api put-object-acl --acl bucket-owner-full-control --bucket some-bucket --key path/to/unreadable.txt

Yeah, I think you have to do that once for each object, I don't think there is a recursive option.

AWS publishes an example bucket policy to prevent adding objects to the bucket without giving the bucket owner full control. But that will not address ownership of the objects already in your bucket.

I don't know of any policy that will automagically transfer ownership to the bucket owner.

answered Dec 03 '15 at 00:07

James

11,721
2
35
41

11

You're correct, and this is by design. If you allow other users to upload into your bucket, and don't enforce `bucket-owner-full-control` on uploads with the bucket policy, then the *only* action available to the bucket owner is to delete the object. Everything else requires permission to be granted by the object owner. – Michael - sqlbot Dec 03 '15 at 01:25
2

As a footnote, for this to work with the `cp` or `mv` command the user needs permission to `PutObjectAcl` action as well, this knowledge would save me an hour ;) – Paweł Prażak Oct 26 '16 at 14:10

score 21 · Answer 2 · answered May 11 '16 at 13:48

21

you can actually use a copy and recursive option to copy all objects back to the bucket and set the acl bucket-owner-full-control by using the following syntax:

aws s3 cp s3://myBucket s3://myBucket --recursive --acl bucket-owner-full-control --storage-class STANDARD

answered May 11 '16 at 13:48

user307297

311
2
2

3

Use this command with the credentials of the account that did the original upload to give the bucket-owner-full-control, but at that point the account that did the original upload still owns the S3 objects. If you need to, repeat this command with the credentials of the account owning the bucket to give that account ownership of the S3 objects as well. – davidvandebunte Oct 06 '17 at 13:35

score 7 · Answer 3 · answered Jan 13 '22 at 15:39

7

AWS has solved this in the general case by now allowing bucket owners to configure their buckets to take control of all objects placed there, regardless of writer. This is great news as you no longer need to ask the writer to place additional flags during write.

To change your bucket to this setting (which is also now the recommended default) you can use this command:

aws s3api put-bucket-ownership-controls --bucket <bucketname> --ownership-controls Rules=[{ObjectOwnership=BucketOwnerEnforced}]

Another piece of good news is that this retroactively takes control of objects previously written without ACL restrictions. For more information see https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

answered Jan 13 '22 at 15:39

Eric from B'more

71
1
2

This should be marked as the correct answer. also a little typo in the command :P aws s3api put-bucket-ownership-controls --bucket DOC-EXAMPLE-BUCKET --ownership-controls="Rules=[{ObjectOwnership=BucketOwnerEnforced}]" – Josh Apr 28 '23 at 20:07
Thanks! I'm actually a little confused as to the correct syntax for the --ownership-controls flag myself... your example matches that found here https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-ownership-controls.html – Eric from B'more Apr 30 '23 at 17:20
Ooops... hit enter too early. What I meant to say was...your example matches that found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-existing-bucket.html But the docs on the flag itself don't show an equals sign as being required: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-ownership-controls.html I did a little experiment and evidently - both are acceptable! (They both altered the state of the test bucket.) – Eric from B'more Apr 30 '23 at 17:29

S3: User cannot access object in his own s3 bucket if created by another user

3 Answers3

Linked