Actions
Bug #52706
closedWith policy specifying invalid arn, users can list content of any bucket
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Description
Hi
I have a role with permission policy like below
{ "Version":"2012-10-17","Statement":[ { "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"this-is-not-arn-bla-bla" } ] }
or
{ "Version":"2012-10-17","Statement":[ { "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"barn:aws:s3:::nonexisting-bucket" } ] }
User after assuming the role can execute head-bucket or list-bucket s3api operation on every bucket in the tenant without getting error 403 as expected
If I specify Resource as a valid ARN (even if bucket does not exist) e.g. arn:aws:s3:::my-valid-bucket
then user can list content of that bucket only, as expected. Attempt to access any other bucket returns 403.
Actions