3

Using Cloudformation can you set the Authenticated Users group to have put/delete Access Control when creating an S3 Bucket?

5
  • Do you actually want to grant put/delete rights for your bucket to all Amazon S3 users or only the users of your own account(s)? May 27, 2012 at 20:15
  • @Steffan - Thanks for your reply. It looked like with the canned ACL's what I really needed was an AuthenticatedWrite(which annoyingly enough is available through the Amazon Web Console). I guess what I am really looking for is a way to replicate AuthenticatedWrite through bucket policies.
    – nsfyn55
    May 28, 2012 at 12:31
  • So you actually want to do that, interesting (I always wonder what the use case might be for limiting write access to the potentially millions of de facto anonymous S3 users vs. just allowing really anonymous usage in the first place, anyway ...) - this would be easy, if bucket policies would allow to specify a wildcard for the namespace/account fragment in Principal, i.e. something like arn:aws:iam::*:root; this doesn't seem to be possible though, at least it isn't documented (you might give it a shot of course). May 28, 2012 at 13:01
  • I see it appears that I have actually misinterpreted what AuthenticatedWrite meant. If what I am reading is correct its anyone authenticated with Amazon? I thought there was another tier of Access Control that limited to the buckets in your little section of the cloud.
    – nsfyn55
    May 28, 2012 at 23:53
  • That's correct, it is indeed anyone authenticated with Amazon - this has been a weird concept in the first place and is regularly misinterpreted 'til this day, likely yielding plenty of security leaks all over S3; I really wish AWS would remove or prominently clarify that effect at least (the docs are correct in principle, just not obvious enough by far). That said, you can achieve your goal of granting authenticated write for the users of your own account(s) only with a bucket policy as outlined in my answer already. May 29, 2012 at 0:52

1 Answer 1

7

This is not possible with the initial and respectively limited Access Control Lists (ACL) of Amazon S3, where only the predefined Canned ACLs are available for use with the AWS resource types supported by AWS CloudFormation in turn, see property AccessControl of the AWS::S3::Bucket resource:

A canned ACL that grants predefined permissions on the bucket. Default is Private. For more information about canned ACLs, see Canned ACLs in the Amazon S3 documentation.

Valid values for AccessControl: AuthenticatedRead | AwsExecRead | BucketOwnerRead | BucketOwnerFullControl | LogDeliveryWrite | Private | PublicRead | PublicReadWrite

Assuming you do not want to give put/delete access to all S3 users in fact (which the Authenticated Users group actually implies to the surprise of the unaware S3 developer), but only to the users of your own (or a well known set of) account(s) as usual for most use cases, you can achieve your goal by using S3 Bucket Policies instead.

The Example Cases for Amazon S3 Bucket Policies provide an example policy for Granting Permissions to Multiple Accounts with Added Restrictions, which grants PutObject, and PutObjectAcl permissions to multiple accounts and requires that the public-read canned acl is included - stripping this to the requested set and transforming it into a CloudFormation template snippet would yield the following approximately (you'd need to adjust the Principal to your account(s) of course):

"Resources" : {
  "S3Bucket" : {
    "Type" : "AWS::S3::Bucket"
  },
  "BucketPolicy" : {
    "Type" : "AWS::S3::BucketPolicy",
    "Properties" : {
      "PolicyDocument": {
        "Id"           : "Grant access to all account users",
        "Statement"    : [{
          "Sid"        : "PutObjectAccess",
          "Action"     : ["s3:PutObject"],
          "Effect"     : "Allow",
          "Resource"   : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3Bucket"} ]]},
          "Principal"  : { "AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"] }
        }]
      },
      "Bucket" : {"Ref" : "S3Bucket"}
    }
  },
},

Please be aware of the peculiarities of Using ACLs and Bucket Policies Together in case.

2
  • That was helpful, thanks, but your "peculiarities" link above is dead. Can you summarise the issues or find where it moved to?
    – telent
    Sep 29, 2014 at 10:07
  • @telent - the content seems to have gone during a significant restructuring of the entire section. I need to rephrase this somehow later on, but right now the former content is still available in the AWS China (Beijing) Region docs, see Using ACLs and Bucket Policies Together at least. Sep 29, 2014 at 18:20

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.