During the S3 request authorization process, the system evaluates permission using user, bucket, and object contexts as needed.
Context
Description
User
In this context, if the requester is an ECS IAM principal, the principal must have permission from the parent namespace to which it belongs. In this step, the subset of policies that are owned by the parent account (also referred as the context authority) is evaluated. This subset of policies includes the user policy that the parent attaches to the principal. If the parent also owns the resource in the request (bucket, object), then the corresponding resource policies (bucket policy, bucket ACL, and object ACL) are also evaluated at the same time.
Bucket
In this context, ECS evaluates policies that are owned by the namespace that owns the bucket. If the namespace that owns the object in the request is not same as the bucket owner, in the bucket context the policies are checked to verify that the bucket owner has not explicitly denied access to the object. If there is an explicit deny set on the object, then the request is not authorized.
Object
In this context, the requester must have permissions from the object owner to perform a specific object operation. In this step, the object ACL is evaluated if required.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\