Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws s3api returns "access denied" if object does not exist and list permissions are not provided #2041

Closed
brandongalbraith opened this issue Jun 27, 2016 · 4 comments
Closed

aws s3api returns "access denied" if object does not exist and list permissions are not provided #2041

brandongalbraith opened this issue Jun 27, 2016 · 4 comments
Labels
closing-soon This issue will automatically close in 4 days unless further comments are made. guidance Question that needs advice or information. service-api This issue is due to a problem in a service API, not the SDK implementation.

Comments

@brandongalbraith
Copy link

brandongalbraith commented Jun 27, 2016
edited

When attempting to retrieve an object that does not exist from a bucket with aws s3api get-object --bucket <bucket> --key <object_key>, I received:

A client error (AccessDenied) occurred when calling the GetObject operation: Access Denied

instead of:

A client error (NoSuchKey) occurred when calling the GetObject operation: The specified key does not exist.

Only GetObject permissions were provided for the IAM role performing the get-object request.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket>/<key_path>/<key_path>/*"
      ],
      "Effect": "Allow"
    }
  ]
}
@brandongalbraith brandongalbraith changed the title aws s3api returns "access denied" if object does not exist aws s3api returns "access denied" if object does not exist and list permissions are not provided Jun 27, 2016
@JordonPhillips
Copy link
Member

This is intentional, it prevents leaking information to parties that are given limited rights to a bucket.

@JordonPhillips JordonPhillips added closing-soon This issue will automatically close in 4 days unless further comments are made. api-question labels Jun 29, 2016
@brandongalbraith
Copy link
Author

@JordonPhillips Thanks for the reply! Can you be more specific? If the bucket has the appropriate GetObject permissions, and the object doesn't exist, what information could be leaking by indicating that the object does not exist?

@JordonPhillips
Copy link
Member

It gives you information about the bucket's contents that you did not have. You could exhaustively try to grab all possible object keys, and take note of which raises NoSuchKey and which gives AccessDenied. You would then have effectively listed the bucket, which you do not have permissions to do. It would be very difficult and time consuming to do something like that, but a more sophisticated attack could still leak information with far less overhead.

@brandongalbraith
Copy link
Author

@JordonPhillips Right you are! Thank you!

@diehlaws diehlaws added guidance Question that needs advice or information. service-api This issue is due to a problem in a service API, not the SDK implementation. and removed api-question labels Jan 4, 2019
thoward-godaddy pushed a commit to thoward-godaddy/aws-cli that referenced this issue Feb 12, 2022
@mndeveci
fix: guided deploy doesn't update default capabilities that is provid…
b5b1ec4 
…ed via --capabilites option as CLI argument (aws#2041)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closing-soon This issue will automatically close in 4 days unless further comments are made. guidance Question that needs advice or information. service-api This issue is due to a problem in a service API, not the SDK implementation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brandongalbraith @JordonPhillips @diehlaws