From f468add8044be548a87558390a8efc42e37e7e04 Mon Sep 17 00:00:00 2001 From: Jorge Diaz Date: Mon, 16 Jun 2025 18:35:22 +0200 Subject: [PATCH 1/3] chore(s3): updated documentation to provide better insights when using grant methods for the `Bucket` resource --- packages/aws-cdk-lib/aws-s3/README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md index 5bf855fa99ee2..fcf7e56335e2e 100644 --- a/packages/aws-cdk-lib/aws-s3/README.md +++ b/packages/aws-cdk-lib/aws-s3/README.md @@ -156,6 +156,23 @@ bucket.grantReadWrite(myLambda); Will give the Lambda's execution role permissions to read and write from the bucket. +### Understanding "grant" Methods + +The S3 construct library provides three grant methods for the `Bucket` resource that have a special behavior. All three accept an `objectsKeyPattern` parameter to restrict granted permissions to specific resources: +- `grantRead` +- `grantWrite` +- `grantReadWrite` + +When examining the synthesized policy, you'll notice it includes both your specified object key patterns and the bucket itself. +This is by design. Some permissions (like `s3:ListBucket`) apply at the bucket level, while others (like `s3:GetObject`) apply to specific objects. + +Specifically, the [`s3:ListBucket` action operates on bucket resources](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-bucket) +and requires the bucket ARN to work properly. This might be seen as a bug, giving the impression that more permissions were granted than the ones you intended, but the reality is that the policy does not ignore your `objectsKeyPattern` - object-specific actions like `s3:GetObject` +will still be limited to the resources defined in your pattern. + +If you need to restrict the `s3:ListBucket` action to specific paths, you can add a `Condition` to your policy that limits the `objectsKeyPattern` to specific folders. For more details and examples, see the [AWS documentation on bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-folders). + + ## AWS Foundational Security Best Practices ### Enforcing SSL From b91b88015323ea338f8f5b80f4d37c1c30480ce8 Mon Sep 17 00:00:00 2001 From: Jorge Diaz Date: Mon, 16 Jun 2025 18:35:22 +0200 Subject: [PATCH 2/3] chore(s3): updated documentation to provide better insights when using grant methods for the `Bucket` resource --- packages/aws-cdk-lib/aws-s3/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md index fcf7e56335e2e..020c631cfe742 100644 --- a/packages/aws-cdk-lib/aws-s3/README.md +++ b/packages/aws-cdk-lib/aws-s3/README.md @@ -158,9 +158,8 @@ from the bucket. ### Understanding "grant" Methods -The S3 construct library provides three grant methods for the `Bucket` resource that have a special behavior. All three accept an `objectsKeyPattern` parameter to restrict granted permissions to specific resources: +The S3 construct library provides several grant methods for the `Bucket` resource, but two of them have a special behavior. All three accept an `objectsKeyPattern` parameter to restrict granted permissions to specific resources: - `grantRead` -- `grantWrite` - `grantReadWrite` When examining the synthesized policy, you'll notice it includes both your specified object key patterns and the bucket itself. From 8a09b240019903dcae0ec1ddf922ab9802dcdf01 Mon Sep 17 00:00:00 2001 From: Jorge Diaz Date: Mon, 16 Jun 2025 18:35:22 +0200 Subject: [PATCH 3/3] chore(s3): updated documentation to provide better insights when using grant methods for the `Bucket` resource --- packages/aws-cdk-lib/aws-s3/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md index 020c631cfe742..2a972dd099a33 100644 --- a/packages/aws-cdk-lib/aws-s3/README.md +++ b/packages/aws-cdk-lib/aws-s3/README.md @@ -158,7 +158,7 @@ from the bucket. ### Understanding "grant" Methods -The S3 construct library provides several grant methods for the `Bucket` resource, but two of them have a special behavior. All three accept an `objectsKeyPattern` parameter to restrict granted permissions to specific resources: +The S3 construct library provides several grant methods for the `Bucket` resource, but two of them have a special behavior. This two accept an `objectsKeyPattern` parameter to restrict granted permissions to specific resources: - `grantRead` - `grantReadWrite`