The below diagram describes how the system evaluates the authorization request for an S3 object operation process:
In the S3 object operation authorization process, at first the system evaluates whether the requester is an ECS IAM user. If yes, then the request is evaluated against the user, bucket, and object contexts. If these three contexts verifications are authorized, the access is granted. Else, it is denied.
The below table describes the summary of access details for the same and cross account bucket operation:
Bucket owner (account)
Object owner (account)
Requestor
Comments
A1
A1
U1
Access is determined by the user and/or by the bucket policy. No object ACL check
A1
A1
U2
U2 needs IAM policy from A2 and if A1 bucket policy does not a make a determination, then the system checks the object ACL
A1
A1
R1
IAM policy not relevant for R1. If A1 bucket policy does not a make a determination, then the system checks the object ACL
A1
A1
R2
IAM policy not relevant for R2. If A1 bucket policy does not a make a determination, then the system checks the object ACL
A1
A2
U1
U1 needs IAM policy or bucket policy allow. Object ACL must allow A1 access.
A1
A2
U2
U2 needs IAM policy allow. Bucket policy should not deny.
NOTE: Bucket policy cannot allow access.
A1
A2
U3
U3 needs IAM policy allow. Bucket policy should not deny. Object ACL must allow A3 access.
NOTE: Bucket policy cannot allow access.
A1
A2
R1
IAM policy not relevant. Bucket policy should not be deny. Object ACL needs to allow A1 access.
NOTE: Bucket policy cannot allow access.
A1
A2
R2
IAM policy not relevant. Bucket policy should not be deny. Object ACL must allow A2 access.
NOTE: Bucket policy cannot allow access.
A1
A2
R3
IAM policy not relevant. Bucket policy should not be deny. Object ACL must allow A3 access.
NOTE: Bucket policy cannot allow access.
NOTE: In this table, the following legends are used:
A1 = first account, A2 = second account, A3 = third account, U1 = user from the first account, U2 = user from the second account, U3 = user from the third account, R1 = root user from the first account, R2 = root user from the second account, and R3 = root user from the third account.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\