jeudi 8 janvier 2015

AWS user permission policy against S3 resource not restricting to specific user

Ruby 1.8.7 (yeah, I know it's ancient)

aws-sdk-v1 1.60.2

AWS S3


I am attempting to restrict access to an S3 bucket so that only one user may read/write to it.


I created the following permission policy and attached it to an IAM user, let's call them UserX:



{
   "Version": "2012-10-17",
   "Statement": [
     { "Sid":"my_sid",
       "Effect":"Allow",
       "Action":"s3:*",
       "Resource": "arn:aws:s3:::my_bucket_name/*"
     }]
}


My expectation is that because UserX has this policy attached to it, they will be the only user that can do anything with this bucket.


However, if I connect to AWS without credentials, I can write to this bucket without any problem. This is not what I want. I don't want anyone except for UserX to write into this bucket (or read from it for that matter).


If I remove this policy from UserX, then the default behavior applies - neither request (authenticated or not autheticated) to write works, which is what I expect.


This policy appears to be opening up access to all users, even though it is attached to UserX.


Here is the (effective - the actual code is in methods) code I'm using to do this:


For the unauthenticated request (the one that can write but shouldn't be able to:



  s3 = AWS::S3.new
  bucket = s3.buckets[my_bucket_name]
  o = bucket.objects[aws_filename]
  o.write(:file => filename_on_local_system)


For the authenticated request:



  AWS.config(:access_key_id => AWS_ACCESS_KEY_ID,
             :secret_access_key => AWS_SECRET_ACCESS_KEY,
             :region => 'us-west-2')
  s3 = AWS::S3.new
  bucket = s3.buckets[my_bucket_name]
  o = bucket.objects[aws_filename]
  o.write(:file => filename_on_local_system)


I've also tried:



  • attaching this policy to a group and assigning UserX to that group with the same results

  • creating a bucket policy to allow this user to write to it, which resulted in not being able to write to the bucket as UserX (the "opposite" problem)

  • using the aws-s3 gem instead (but was unable to get a good request to go to AWS).


The AWS policy simulator appears to work, but since you can't specify which user is doing the action, it doesn't really help me debug this.


This is extremely frustrating. Thinking I may need to look into ACLs, even though they are frowned upon.


Any help is appreciated.


Wes





Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)