AWS: S3 - 2
S3 Part 2
Access
Access status
The list buckets view shows whether your bucket is publicly accessible. Amazon S3 labels the permissions for a bucket as follows:
Public – Everyone has access to one or more of the following: List objects, Write objects, Read and write permissions.
Objects can be public – The bucket is not public, but anyone with the appropriate permissions can grant public access to objects.
Buckets and objects not public – The bucket and objects do not have any public access.
Only authorized users of this account – Access is isolated to IAM users and roles in this account and AWS service principals because there is a policy that grants public access.
Management
Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you can’t access that user’s objects unless the user explicitly grants you access.
Each permission you grant for a user or a group adds an entry in the ACL that is associated with the object. The ACL lists grants, which identify the grantee and the permission granted. ACLs are resource-based access policies that grant access permissions to buckets and objects.
Block public access settings
S3 Block Public Access provides four settings. You can apply these settings in any combination to individual access points, buckets, or entire AWS accounts. If you apply a setting to an account, it applies to all buckets and access points that are owned by that account. Similarly, if you apply a setting to a bucket, it applies to all access points associated with that bucket.
ACLs
Amazon S3 considers a bucket or object ACL public if it grants any permissions to members of the predefined AllUsers or AuthenticatedUsers groups.
Policies
When evaluating a bucket policy, Amazon S3 begins by assuming that the policy is public. It then evaluates the policy to determine whether it qualifies as non-public. To be considered non-public, a bucket policy must grant access only to fixed values.
Access points
Amazon S3 evaluates block public access settings slightly differently for access points compared to buckets. The rules that Amazon S3 applies to determine when an access point policy is public are generally the same for access points as for buckets, except in the following situations:
An access point that has a VPC network origin is always considered non-public, regardless of the contents of its access point policy.
An access point policy that grants access to a set of access points using s3:DataAccessPointArn is considered public.
Permissions
Operation | Required permissions |
---|---|
GET bucket policy status | s3:GetBucketPolicyStatus |
GET bucket Block Public Access settings | s3:GetBucketPublicAccessBlock |
PUT bucket Block Public Access settings | s3:PutBucketPublicAccessBlock |
DELETE bucket Block Public Access settings | s3:PutBucketPublicAccessBlock |
GET account Block Public Access settings | s3:GetAccountPublicAccessBlock |
PUT account Block Public Access settings | s3:PutAccountPublicAccessBlock |
DELETE account Block Public Access settings | s3:PutAccountPublicAccessBlock |
PUT access point Block Public Access settings | s3:PutAccessPointPublicAccessBlock |