Home/ Questions/Q 7989559
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T12:47:10+00:00

Using Cloudformation can you set the Authenticated Users group to have put/delete Access Control

  • 0

Using Cloudformation can you set the Authenticated Users group to have put/delete Access Control when creating an S3 Bucket?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is not possible with the initial and respectively limited Access Control Lists (ACL) of Amazon S3, where only the predefined Canned ACLs are available for use with the AWS resource types supported by AWS CloudFormation in turn, see property AccessControl of the AWS::S3::Bucket resource:

    A canned ACL that grants predefined permissions on the bucket. Default
    is Private. For more information about canned ACLs, see Canned ACLs in the Amazon S3 documentation.

    Valid values for AccessControl: AuthenticatedRead | AwsExecRead | BucketOwnerRead | BucketOwnerFullControl | LogDeliveryWrite | Private | PublicRead | PublicReadWrite

    Assuming you do not want to give put/delete access to all S3 users in fact (which the Authenticated Users group actually implies to the surprise of the unaware S3 developer), but only to the users of your own (or a well known set of) account(s) as usual for most use cases, you can achieve your goal by using S3 Bucket Policies instead.

    The Example Cases for Amazon S3 Bucket Policies provide an example policy for Granting Permissions to Multiple Accounts with Added Restrictions, which grants PutObject, and PutObjectAcl permissions to multiple accounts and requires that the public-read canned acl is included – stripping this to the requested set and transforming it into a CloudFormation template snippet would yield the following approximately (you’d need to adjust the Principal to your account(s) of course):

    "Resources" : {
  "S3Bucket" : {
    "Type" : "AWS::S3::Bucket"
  },
  "BucketPolicy" : {
    "Type" : "AWS::S3::BucketPolicy",
    "Properties" : {
      "PolicyDocument": {
        "Id"           : "Grant access to all account users",
        "Statement"    : [{
          "Sid"        : "PutObjectAccess",
          "Action"     : ["s3:PutObject"],
          "Effect"     : "Allow",
          "Resource"   : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3Bucket"} ]]},
          "Principal"  : { "AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"] }
        }]
      },
      "Bucket" : {"Ref" : "S3Bucket"}
    }
  },
},

    Please be aware of the peculiarities of Using ACLs and Bucket Policies Together in case.

    • 0