I have two buckets each with their own goals. So far I cannot understand the complicated configuration of bucket settings. It seems there are three things to configure
- Block public access
- Bucket policy
- ACL
I know that if I turn off (1), that everything that I want to accomplish just works. Even though these are the four most meaningless settings I have ever seen (why would I care about restricting access to a bucket based on when a policy was modified???)
It seems that what I add to (2) doesn't really matter. For example I have one policy that only allows GetObject, yet I can DeleteObject and PutObject from the SDK. I have another policy that allows DeleteObject, GetObject, and PutObject, yet only delete works and put throws an Access Denied (from an IAM account that has Administrative access to everything under the sun).
I don't even know the point of (3). Why would I ever want to allow permissions to any AWS user? Anyway..
I have two buckets with two goals and I cannot figure out the combination of things to do.
A: Public bucket for static website
For this one, I have Bock public access to OFF, and a policy like so (that I think does nothing whatsoever). Anyone can view the bucket contents (good!) but this policy should not allow any PutObject, yet it does.
{
"Version": "2012-10-17",
"Id": "Policy1632669906301",
"Statement": [
{
"Sid": "Stmt1632669869776",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::publicwebsite/*"
}
]
}
Why can I upload and delete when only GetObject is defined?
B: Secure bucket for backups
This bucket is for my app to send data backups to. So the only thing that should be able to read/write is my application. But if I turn on Block public access, I cannot upload, yet I can delete. Again, it makes no sense at all. If I turn off Block public access, I can do it all. Here is the policy
{
"Version": "2012-10-17",
"Id": "Policy1635858319261",
"Statement": [
{
"Sid": "Stmt1635858317672",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:user/backup-user"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::backups/*"
}
]
}
Why can I delete but not put?
Furthermore, Amazon is ADAMANT about always keeping on Block public access, yet you cannot even modify a Bucket policy if this is enabled! This is insanity!!!!!!!
Here are my findings after some testing.
My accounts are as such
- root account, owner of bucket
- IAM account (Admin) with Administrative everything
- IAM account (User) with absolutely no authority to do anything at all
For bucket policies, see the second one posted above.
I am exploring what the combination of policy and Block public access settings do. They continue to make 0 sense whatsoever.
Case 1
- Block all public access: OFF
- Bucket policy: EMPTY
- ACL: Bucket owner (list, write | read, write)
Result: Admin can upload and delete, User cannot do anything
Case 2
- Block all public access:
- [x] new access control lists
- Bucket policy: EMPTY
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, but not upload, User cannot do anything
Case 3
- Block all public access:
- [x] new access control lists
- [x] any access control lists
- Bucket policy: EMPTY
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, but not upload, User cannot do anything
Case 4
- Block all public access:
- [x] new access control lists
- [x] any access control lists
- [x] new access point policies
- Bucket policy: EMPTY
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, but not upload, User cannot do anything
Case 5
- Block all public access: ON
- Bucket policy: EMPTY
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, but not upload, User cannot do anything
Conclusion: Block public access when set to ON allows everything. Any other configuration allows delete (and maybe more, like get) but not put.
Case 6
- Block all public access: OFF
- Bucket policy: Admin (Get/Put/Delete object) User (nothing)
- ACL: Bucket owner (list, write | read, write)
Result: Admin can upload and delete, User cannot do anything
Case 7
- Block all public access:
- [x] new access control lists
- Bucket policy: Admin (Get/Put/Delete object) User (nothing)
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, User cannot do anything
Case 8
- Block all public access:
- [x] new access control lists
- [x] any access control lists
- Bucket policy: Admin (Get/Put/Delete object) User (nothing)
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, User cannot do anything
Case 9
- Block all public access:
- [x] new access control lists
- [x] any access control lists
- [x] new access point policies
- Bucket policy: Admin (Get/Put/Delete object) User (nothing)
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, User cannot do anything
Case 10
- Block all public access: ON
- Bucket policy: Admin (Get/Put/Delete object) User (nothing)
- ACL: Bucket owner (list, write | read, write)
Result: Admin can delete, User cannot do anything
Conclusion: Bucket policy has literally no effect on anything
TLDR: It seems that Bucket policy does nothing. Only Block public access has any measurable effect with the only usable option being to turn it off. I have also removed my bucket policy from my public bucket and it also did not change anything.
My conclusion is that either Bucket policy is broken, that the documentation is not sufficient, or that the settings themselves are counter intuitive and don't actually do what they say. Or any combination of anything.
I'd rather host my content on an FTP server in my basement at this point.
