Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reference policy for S3/Cognito is overly broad #107

Closed
benkehoe opened this issue Mar 20, 2019 · 3 comments

Comments

@benkehoe
Copy link
Contributor

commented Mar 20, 2019

The policy at https://github.com/awsdocs/iam-user-guide/blob/master/doc_source/reference_policies_examples_s3_cognito-bucket.md claims that it restricts Cognito users' access to only objects containing their Cognito ID. This is true for the second statement, but the first statement is missing the Cognito ID in its prefix condition. This means that the user will be able to enumerate all users' objects, though it will not be able to access them. Either the prefix condition should be updated, or the surrounding text should be revised to reflect the broader permissions in the policy.

@stephswo

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

I'm the IAM docs writer and understand policies, but am not an expert in S3 or Cognito. Can you help me understand why the first statement does not work as designed? The statement allows listing buckets with a specific name, but only with the specified Cognito prefix listed in the Condition.

@copumpkin

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

@stephswo if I understand correctly, the intent is to give every cognito user their own "folder" hierarchy in the bucket. The policy as written on that page would allow every user to view a listing of objects in all other users' prefixes, as well as a full list of usernames.

So basically every user can:

  1. Read/write/delete their own objects
  2. List everyone's objects and find out every cognito username who's using that bucket

I think the correct first statement would be:

        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::bucket-name"],
            "Condition": {
                "StringLike": {
                    "s3:prefix": ["cognito/application-name/${cognito-identity.amazonaws.com:sub}/"]
                }
            }
        },
@stephswo

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

Got it! That makes sense. I've updated the docs and the change will be live later today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.