AWS S3 bucket policy does not define Put, yet it is allowed

pbuzz007

3/2/23, 4:52 PM

I have a public static website which images can be uploaded to. For this I enabled static website hosting and set Block public access to OFF. I then added this policy

{
    "Version": "2012-10-17",
    "Id": "Policy1632669906301",
    "Statement": [
        {
            "Sid": "Stmt1632669869776",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myapp/*"
        }
    ]
}

This should allow anyone to access objects, but it is also allowing my IAM account (with Administrative everything) to upload, delete, etc. This shouldn't be possible. Why is it possible? And what else does this mean? That anyone can upload and delete from the bucket?

Turning on ANY combination of Block all public access prevents my IAM account from uploading, yet it can still delete.

Nothing makes any sense at all.

0 + 0

amazon-s3

amazon-web-services

ceejayoz

3/2/23, 4:56 PM

Please don't re-post. [AWS S3 bucket policy for get and upload](https://serverfault.com/questions/1082400/aws-s3-bucket-policy-for-get-and-upload)

pbuzz007

3/2/23, 5:04 PM

It is not a repost, it is a different question. And does it affect your day to day life? Is it a problem to you that there are lots of similar questions on SO with slightly different criteria that might help people facing similar issues? Don't like the post, just move on and don't answer it.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AWS S3 bucket policy does not define Put, yet it is allowed

TH: นโยบายบัคเก็ต AWS S3 ไม่ได้กำหนด Put แต่อนุญาตให้ทำได้

RO: Politica compartimentului AWS S3 nu definește Put, dar este permisă

RU: Политика корзин AWS S3 не определяет Put, но это разрешено

VI: Chính sách nhóm AWS S3 không xác định Đặt, nhưng nó được cho phép

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.