Help regarding s3 buckets read-write permissions

[attili-sanjeet]

Hello everyone,

I would like to ask you some help regarding s3 bucket acl permissions.

My objective is whenever i want to upload some objects/files in the bucket with the help of cli/bash script, i need to make it write allowed, and as soon as this write operation is completed i need to make the object/specific folder go read-only, In order to prevent any other persons (within an organizatino) to not modify/delete the uploaded objects.

How can i achieve this?

At the time of creating a bucket what kind of permissions are required to be provided?

I have referred these and tried out as well. But it didn't work for me even though i see the permissions turned to read only, but i was able to go and upload files to that bucket from GUI.
Even the bucket owner should not be able to write once the permissions are set to read-only in my case.

Commands used:

# Here id is the grantee's id who is a canonical user (bucket owner in our case)
aws s3api put-object-acl --bucket $bucket_name --key folder_name/ --grant-read id=$id

At the time of creating s3 bucket i gave these permissions:

1. Provided block all public access (On)
2. Object Ownership - bucket owner preferred
3. ACLs enabled
4. There is only one grantee - Bucket Owner (with permissions to objects - list, write and Bucket ACL - read, write)

Looking for a solution to my problem eagerly.
Thanks

[attili-sanjeet]

@RyanFitzSimmonsAK can you help me figure out a way to solve this?

[RyanFitzSimmonsAK]

Hi @attili-sanjeet, thanks for reaching out. Bucket owners have full control over the bucket and objects they own inside of it. It shouldn't be possible to restrict your own permissions. If you want to restrict other accounts from deleting or modifying objects in the bucket, you can enforce that the bucket owner owns every object in the bucket, and can set restrictions on them. In your use case, are you worried about other people uploading or modifying objects from the bucket owner account?

[attili-sanjeet]

Hi @RyanFitzSimmonsAK , thanks for responding to my query, i have previously tried bucket owner preferred with acl's enabled option, and asked the other people to view that object, even though with read permissions set, they were able to upload new files into that object.

Yeah, i am worried wrt other people uploading or modifying objects from bucket owner account
Can you suggest me some solution to this?

[attili-sanjeet]

I used this command to set the read permissions, but i think it was applied only on bucket owner level

# Here id is the grantee's id who is a canonical user (bucket owner in our case)
aws s3api put-object-acl --bucket $bucket_name --key folder_name/ --grant-read id=$id

[RyanFitzSimmonsAK]

Yep, that would only affect the permissions of the bucket owner (which bypasses restrictions anyway). With Block Public Access enabled, other accounts shouldn't be able to interact with the bucket at all. Do you mean other people using the bucket owner account, or something else?

[attili-sanjeet]

Yeah, most of the other people using bucket owner account only, if this is the case then how can we proceed further?

[RyanFitzSimmonsAK]

It sounds like you're using the account's root user, and that several people have access to it. I would discourage that particular practice, as the root user has complete access to every aspect of the account. I've attached some relevant documentation.

Root user - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
Read / write - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html

You should be able to restrict the permissions of people not using the root user.

[attili-sanjeet]

Sure i'll try this out, thanks for your answer and time @RyanFitzSimmonsAK!!!