How can I read anonymously POSTed files on AWS S3?

Question

I have a bucket (let's call it bucket-1) on AWS S3 from which I cannot read. I have another bucket (let's call it bucket-2) from which I can read.

I can list the contents of both buckets, but I cannot copy any of the contents of bucket-1.

% aws s3 ls s3://bucket-1/ | grep 0046
2016-03-09 15:39:50    4413909 0046f326-6e7d-4c16-80e4-491fa0b19dd7

% aws s3 cp s3://bucket-1/0046f326-6e7d-4c16-80e4-491fa0b19dd7 .
A client error (403) occurred when calling the HeadObject operation: Forbidden

In the course of trying to figure this out I switched back to using Access Keys of the AWS Account not an IAM User (assuming that the AWS Account has basically all privileges).

Start digging

Assuming the cause is in the permissions, I run

% aws s3api get-bucket-acl --bucket my-bucket-1
% aws s3api get-bucket-acl --bucket my-bucket-2

Common

It shows my AWS Account as the owner of both buckets.

Different

bucket-2 has one permission: FULL_CONTROL for my AWS Account.

bucket-1 lists several permissions, FULL_CONTROL is not among these. It lists

READ
WRITE
READ_ACP
WRITE_ACP

for my AWS Account.

In the web console the objects in bucket-1 don't have any permission set. The objects in bucket-2 have the same permission as the bucket they are in.

It is likely that different methods were used to store the files in the two buckets. The objects in bucket-2 were likely created via the API, while the objects in bucket-1 originate from a anonymous POST. (Yes, bucket-1 has the permission WRITE for Everyone.)

Digging deeper

Even with the credentials of my AWS Account I don't have the permission to query the acl of the object.

% aws s3api get-object-acl --bucket bucket-1 --key 0046f326-6e7d-4c16-80e4-491fa0b19dd7
A client error (AccessDenied) occurred when calling the GetObjectAcl operation: Access Denied

% aws s3api get-object --bucket bucket-1 --key 0046f326-6e7d-4c16-80e4-491fa0b19dd7 local.file
A client error (AccessDenied) occurred when calling the GetObject operation: Access Denied

% aws s3api head-object --bucket bucket-1 --key 0046f326-6e7d-4c16-80e4-491fa0b19dd7
A client error (403) occurred when calling the HeadObject operation: Forbidden

Questions

On a helpful site on the internet I found that one can use put-object-acl to set the acl to bucket-owner-full-control. I tried that. But you have to do this with the credentials of the owner of the file - and how can you do that if the file was posted anonymously?

What else can I try?
Do objects on S3, like buckets, have an owner?
If so, where in the web console can I find that information?

Checking out bucket policy should help. – koolhead17 May 21 '16 at 17:09 — koolhead17, May 21 '16 at 17:09

score 1 · Accepted Answer · answered May 21 '16 at 20:59

1

Don't allow anonymous uploads to your bucket. If you do, and the uploader doesn't set the permissions correctly, the only action available to you is to delete the object.

It is possible to set the bucket policy so that the anonymous upload is denied unless the uploaded sets the ACL to bucket-owner-full-control, but that's only useful for future uploads.

In event... is there a legitimate application for anonymous uploads? Highly dubious.

answered May 21 '16 at 20:59

Michael - sqlbot

169,571
25
353
427

1

Thx for your answer and I concur. I can't think of 'a legitimate application for anonymous uploads'. In our case at that time it was just the quickest option and as always - timing was critical. – branch14 May 23 '16 at 07:23