Amazon S3 - How do I download objects owned by anonymous user?

Question

I have a sample web page that has allowed anonymous users to upload objects and create folders in my S3 bucket.

Unfortunately I had not set any specific bucket policies or ACLs before doing this.

Now I have the problem where an anonymous user has created a folder and uploaded objects which I (as the root user) cannot download or access. I plan to set up a new bucket policy before more users can upload objects, but right now I need access to these current objects owned by anonymous.

Can someone tell me how I can do this?

May I know how you are accessing it as root user ?, I mean through AWS Console or code ? — Sangram Chavan, Jan 17 '15 at 21:21
Yes I am accessing the objects through the AWS console as the root user. Does this matter, if I am trying to download the files? — John Dunlea, Jan 17 '15 at 22:15

score 4 · Answer 1 · answered Feb 08 '15 at 01:27

By 'anonymous user', do you mean 'unauthenticated user'? If so, then you have two options (#1 and #2 below). If not, then you have one option (#1 below). All of this assumes, of course, that you cannot persuade the uploader himself to modify the ACLs on these objects.

delete the objects. As the bucket owner, you can always delete objects (and stop paying for them).
become the object owner and grant the bucket owner (you) full control. Anyone can be the unauthenticated user and hence the object owner.

Here is an example of how to do #2 for bkt/cat.jpg using node.js and the AWS JavaScript SDK. This code invokes putObjectAcl as the unauthenticated user and gives the bucket owner (you) full control over the object.

var aws = require('aws-sdk');
var s3 = new aws.S3();
var p = { Bucket: 'bkt', Key: 'cat.jpg', ACL: 'bucket-owner-full-control' };
s3.makeUnauthenticatedRequest('putObjectAcl', p, function(e,d) {
  if (e) console.log('err: ' + e);
  if (d) console.log('data: ' + d);
});

Unfortunately, the awscli does not appear to support unauthenticated S3 calls otherwise I would have proposed using that to modify the ACLs of the object.

Note that the canned ACL of bucket-owner-full-control gives both the object owner and the bucket owner full control.

This fixed a major pain point for me. Thanks for the s3.makeUnauthenticatedRequest method, I was unaware of that. — Jonathan Kempf, Sep 21 '16 at 20:52

score 0 · Answer 2 · answered Jan 18 '15 at 19:54

Take a look at the Policy on the Identity and Access Management (IAM) user you are using to access the AWS Management Console. If it has Administrator or Power User policy settings, then you will have full access to objects in all Amazon S3 buckets associated with your AWS Account.

You will need to access the objects through an authenticated method, such as the S3 Management Console.

If you are using the root user of your account, you will also have full access to your S3 buckets and their contents. It is not recommended that you use your root user on a daily basis because it has complete access to your account and it is dangerous if compromised -- instead, use the root account to create an administrative user in IAM, which can be more easily managed (eg changing permissions, rotating keys).

If you are still having difficulty viewing the objects, make sure they are being accessed by selecting the object and then choosing Open from the Actions menu. This creates an authenticated URL that will open the files. If you simply click the displayed link in the object properties window, it will use a URL that has no authentication and will likely fail.

It's not the case that a bucket owner has full access to objects in his own S3 buckets, as odd as that might seem. If the owner who put them there did not grant the bucket owner access (read, read/write, or full control) then the bucket owner has no access to the objects except to delete them. And the only reason, afaik, that he has permission to delete them is that he is paying the bill for the S3 bucket. — jarmod, Feb 08 '15 at 01:32

Amazon S3 - How do I download objects owned by anonymous user?

2 Answers2

Linked