Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I remove a "grantee" user from S3 permissions tab?

This is really a two part question:

I'm seeing some users in the "Grantee" dropdown for editing S3 permissions within the AWS console.

  1. Where are those users coming from?
  2. How can I delete them?

They aren't in IAM so I'm not really sure where they're coming from.

like image 769
doremi Avatar asked Jan 18 '12 01:01

doremi


People also ask

How do I restrict Amazon S3 bucket access to a specific IAM user?

You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.

What is grantee on AWS S3?

Represents a user who is granted some kind of permission through a Grant.

How do I change permissions on my S3 bucket?

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that you want to set permissions for. Choose Permissions. Under Access control list, choose Edit.


1 Answers

A grantee can either be an AWS account (which you probably added in the past) or a predefined AWS "group", such as "Authenticated Users", "All Users" or "Log Delivery". Please have a look at ACL Overview, on AWS docs, for more information.

For removing grants from a given file (or from a set of files), you can use the PUT Object acl operation.

It is not clear, on the documentation, what you need to do in order to remove an user from the "Grantee" list. I performed some tests and this is how S3 is behaving:

  • If you select a file using the S3 Management Console and add permission to a new user (not yet in your grantees list), using his email address (make sure the email belongs to a valid Amazon account), that user does NOT go to the bucket ACL, but goes to the object ACL. This user also goes to the Grantees list permanently (even though his friendly name, instead of his email address, is what shows up there).
  • If you log out from the AWS console and log in again, the user is still on the Grantees list and you can give him permissions for other objects.
  • If you remove the given user's permissions on every object, log out and log in again, the user will not show on the Grantees list anymore.
  • If you add a given user to the Bucket ACL (either via API or via the AWS Console), the user will always be in the Grantees list for objects on that bucket.

This makes me think the Grantees list contains the entire list of users in your bucket's ACL plus a cache of users with permissions to objects in your bucket (which is cleared upon logging out, if you remove those permissions).

So, I would try first removing the users you don't want from your bucket's ACL, and then (via API, of course) remove those user's permissions for the objects in your bucket.

like image 182
Viccari Avatar answered Sep 27 '22 18:09

Viccari