Creating policies requiring special handling

Sometimes a policy can grant permissions that are dangerous for security or dangerous for continued operations, such as locking out the root user of the account. The StorageGRID Webscale S3 REST API implementation is less restrictive during policy validation than Amazon, but equally strict during policy evaluation.

Policy description Policy type Amazon behavior StorageGRID behavior
Deny self any permissions to the root account Bucket Valid and enforced, but root user account retains permission for all S3 bucket policy operations Same
Deny self any permissions to user/group Group Valid and enforced Same
Allow a foreign account group any permission Bucket Invalid principal Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error when allowed by a policy
Allow a foreign account root or user any permission Bucket Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error when allowed by a policy Same
Allow everyone permissions to all actions Bucket Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error for the foreign account root and users Same
Deny everyone permissions to all actions Bucket Valid and enforced, but root user account retains permission for all S3 bucket policy operations Same
Principal is a non-existent user or group Bucket Invalid principal Valid
Resource is a non-existent S3 bucket Group Valid Same
Principal is a local group Bucket Invalid principal Valid
Policy grants a non-owner account (including anonymous accounts) permissions to PUT objects Bucket Valid. Objects are owned by the creator account, and the bucket policy does not apply. The creator account must grant access permissions for the object using object ACLs. Valid. Objects are owned by the bucket owner account. Bucket policy applies.