CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
Y M
Y M

Reputation: 2202

How I can upload files to Amazon S3 without listing bucket

I am uploading files to S3 using Angular front-end with S3 Bucket policy as:

{
  "Id": "Policy1499245520254",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1499245493674",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::test-dev/*",
                "arn:aws:s3:::test-dev"],
      "Principal": "*"
    }
  ]
}

But if I change the above policy to 

{
  "Id": "Policy1499245520254",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1499245493674",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::test-dev/*",
                "arn:aws:s3:::test-dev"],
      "Principal": "*"
    },
    {
      "Sid": "Stmt1499245517941",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::test-dev",
      "Principal": "*"
    }
  ]
}

Where I added:

{
      "Sid": "Stmt1499245517944",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::test-dev",
      "Principal": "*"
 }

adding bucket list deny, the upload fails. Any way how I can upload files without listing bucket.

Upvotes: 0

Views: 851

Answers (2)

Y M
Y M

Reputation: 2202

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectACL",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::test-dev",
                "arn:aws:s3:::test-dev/*"
            ]
        }
    ]
}

I solved it by just allowing these permissions, apparently bucket list is not needed in this and solves the problem.

Upvotes: 1

Khalid T.
Khalid T.

Reputation: 10567

That's because the s3:ListBucket actions covers the GET Bucket (List Objects) and HEAD Bucket operations. The HEAD Bucket operation determines if the bucket exists and you have permission to access it, which seems to be called before any action on objects (such as the s3:PutObject action). See Specifying Permissions in a Policy.

Upvotes: 0

Related Questions