Reputation: 31610
What does s3:x-amz-acl with a value of "bucket-owner-full-control" do/mean?
I keep seeing this in bucket policy examples and I don't know what it is:
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
Does this mean the user has to add a header "s3:x-amz-acl" that has value "bucket-owner-full-control"? Is this enforcing an actual ACL or is this arbitrary? Can it be any header and string or is there significance to s3:x-amz-acl and bucket-owner-full-control?
Upvotes: 15
Views: 16335
Answers (3)
Reputation: 3396
Just an idea of something to try out for anyone out there suffering from AWS sickness.
let awsUploadExp = AWSS3TransferUtilityUploadExpression()
awsUploadExp.setValue("bucket-owner-full-control", forRequestParameter: "x-amz-acl")
Upvotes: 0
Reputation: 179194
This policy snippet requires that the request contain the specification of a canned ACL, using the header x-amz-acl (case-insensitive), with the value bucket-owner-full-control.
A constraint on this condition normally is used to ensure that the owner of the object (which is always the uploading user, not necessarily the owner of the bucket) can't create an object that the bucket owner is unable to read ("full control" is an unfortunate misnomer, because the bucket owner can already delete foreign objects, and despite this cannot further delegate permissions on the object).
But it isn't arbitrary.
Specifically: s3:x-amz-acl is an S3-specific IAM policy condition key that happens to be named exactly the same as the header that it matches.
It is not an arbitrary header match, even though such a capability might be handy at times. Most other HTTP headers are not subject to policy conditions, and you can't use, e.g. an s3:x-random-http-header condition.
There are global condition keys like aws:SecureTransport that can be used to deny a request that isn't using HTTPS, and aws:UserAgent that evaluates against the HTTP User-Agent header, but note the documented caveat that this "should not be used to prevent unauthorized parties from making direct AWS requests" because it is easily forged by the user agent. Otherwise there are not a lot of options for allowing/denying requests related to headers.
Unlike the condition key, the value string bucket-owner-full-control is not actually validated within the policy, since it's just a string, but if you don't specify a valid value, it will simply never match.
Upvotes: 20
Reputation: 3097
According to this documentation, the purpose of BucketOwnerFullControl is as follows:
Specifies that the owner of the bucket is granted Permission.FullControl. The owner of the bucket is not necessarily the same as the owner of the object.
The main use case for this is when user A is putting an object into a bucket that is owned by user B, and this defines the permission for the bucket owner (user B).
Upvotes: 4
Related Questions
- AWS S3 ACL Permissions
- I have a Query about AWS S3 bucket policy
- AWS s3 bucket effective permissions
- Understand Amazon S3 Bucket permissions
- AccessControl property - s3 bucket
- AWS S3 bucket access control
- AWS S3 bucket policy
- S3 Principal Bucket Policy Permissions
- Bucket permissions on Amazon
- How to set a bucket's ACL on S3?