Sometimes a policy can grant permissions that are dangerous for security or dangerous for continued operations, such as locking out the root user of the account. The StorageGRID Webscale S3 REST API implementation is less restrictive during policy validation than Amazon, but equally strict during policy evaluation.
Policy description | Policy type | Amazon behavior | StorageGRID behavior |
---|---|---|---|
Deny self any permissions to the root account | Bucket | Valid and enforced, but root user account retains permission for all S3 bucket policy operations | Same |
Deny self any permissions to user/group | Group | Valid and enforced | Same |
Allow a foreign account group any permission | Bucket | Invalid principal | Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error when allowed by a policy |
Allow a foreign account root or user any permission | Bucket | Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error when allowed by a policy | Same |
Allow everyone permissions to all actions | Bucket | Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error for the foreign account root and users | Same |
Deny everyone permissions to all actions | Bucket | Valid and enforced, but root user account retains permission for all S3 bucket policy operations | Same |
Principal is a non-existent user or group | Bucket | Invalid principal | Valid |
Resource is a non-existent S3 bucket | Group | Valid | Same |
Principal is a local group | Bucket | Invalid principal | Valid |
Policy grants a non-owner account (including anonymous accounts) permissions to PUT objects | Bucket | Valid. Objects are owned by the creator account, and the bucket policy does not apply. The creator account must grant access permissions for the object using object ACLs. | Valid. Objects are owned by the bucket owner account. Bucket policy applies. |