S3 bucket permissions: what does "everyone" mean?

May 10, 2017 by Paulina BudzoƄ

On more than one occasion I have seen S3 bucket policies set for the predefined users groups: “Everyone” and “Any authenticated AWS user”, but rarely has it been done with understanding of what those groups actually mean. So, if you’ve ever set (or thought of setting) permissions for those, please read on.

In the Permissions tab in S3 Console, you’ll see 3 sections: Manage users, Manage group permissions and Manage system permissions. The first and last one are fairly easy to understand: specific users and system-specific access. The group permissions should (in theory) be just as easy - predefined groups of users for which we can define access.

You can define two types of access: read and write. Read means you can “see” things: list of objects, contents of objects. Write means you can change things: add, modify, remove. You can define two sets of permissions: object access and permissions access.

Read for objects means: get list of objects and contents of objects. Write for objects means: add new objects, change and remove existing objects. Read for permissions means: see complete list of permissions. Write for permissions means: change any permissions (be very careful with this one!).

Now to the bit that seems problematic: the actual groups. There are some things in AWS that are assumed (and I don’t mean roles, I mean things that are not directly specified but understood to work in a specific way) - that is never the case with access permissions. Access permissions are explicit - if it says something, that’s what it is. So Everyone and Any authenticated AWS user mean exactly that. Everyone is everyone - any person anywhere. If you give Read access to Everyone, any person who knows the name of the bucket can see everything in it. If you give Write access to Everyone, any person can put files in your bucket, and YOU will pay for the storage. If they set the ACL of the file to private while uploading the file, you won’t even be able to see the contents of the file. Similarly, **Any authenticated AWS user means any user of AWS, NOT any user on your account. ** Literally, anyone with an AWS account.

If your permissions look like this:

s3-bucket-read-write-everyone

Anyone on the internet can open the url looking like this: https://s3-REGION.amazonaws.com/BUCKET-NAME/ and see the list of all files in the bucket and open any of those files. They are also able to upload anything to that bucket!

Please make sure to only set those permissions if you intend to make your bucket completely public.

Posted in: AWS Security