Skip to content
This repository has been archived by the owner on Jan 14, 2025. It is now read-only.

Incorrect security expectations for S3 uploads in Auth: 3. IAM-Based AuthZ, Configure IAM permissions #305

Open
arpena opened this issue Apr 3, 2021 · 0 comments
Open

Incorrect security expectations for S3 uploads in Auth: 3. IAM-Based AuthZ, Configure IAM permissions #305

arpena opened this issue Apr 3, 2021 · 0 comments

Comments

@arpena
Copy link

arpena commented Apr 3, 2021

The description of the IAM policy for S3 uploads and downloads in the app bucket states that "This policy’s effective permissions will allow all authenticated users to read objects from the root of the bucket and any /protected path, but only allow users to read their own private sub-path and write to their sub-path within the protected path." (my styling)

Instead the policy clearly also permits PutObject and DeleteObject from the /public/* path:

    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion"
        ],
        "Resource": "arn:aws:s3:::REPLACE_WITH_YOUR_BUCKET_NAME/public/*"
    }

Indeed, with the modifications to the app proposed in the next step, the user's profile photo gets uploaded to this path and not to the /private path where the permissions won't allow other users to see or change other users profile photos.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arpena