Home > Software engineering >  Bucket Policy allows for write access despite only having getObject in policy
Bucket Policy allows for write access despite only having getObject in policy

Time:04-24

I am working on a Django application and uploading files through the application. I've connected my credentials correctly using django-storages and boto3 packages, and can upload a file through the application.

The bucket is owner enforced file ownership and my bucket policy should be read only yet allows for a file upload:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

I am on an IAM user with AdministratorAccess policy, but believed S3 policies to go with the most restrictive permission of the two.

I've double checked I'm working with the correct bucket's policy.

Does GetObject allow for file uploads as well? or something...

How can I be sure no stranger on the internet can modify my files?

CodePudding user response:

but believed S3 policies to go with the most restrictive permission of the two

Sadly it does not work like that. The Allow permissions are cumulative, so your IAM user can write to the S3 bucket, regardless of what the bucket policy says.

The only way to change that is to add explicit deny for writes to your bucket policy. This is because explicit Deny "always wins" over any Allow.

  • Related