X-account S3 grantRead() does not respect objectKeysPattern

[AaronLeon]

Describe the bug

Using S3 bucket.grantRead to grant x-account access successfully creates a bucket policy statement but does not restrict the resource correctly

bucket.grantRead(new ArnPrincipal(arn:aws:iam::XXXXXXXXXX:role/x-account-role), 's3-prefix/*');

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

The bucket policy restricts to the S3 prefix I provided

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXX:role/x-account-role"
            },
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/s3-prefix/*"
            ]
        }
    ]
}

Current Behavior

The bucket policy grants read to the entire bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXX:role/x-account-role"
            },
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/s3-prefix/*"
            ]
        }
    ]
}

Reproduction Steps

dataBucket = new SecureBucket(this, "DataBucket", {
    bucketName: props.bucketName,
    encryption: BucketEncryption.KMS,
    enforceSSL: true,
    versioned: true,
    bucketKeyEnabled: true,
    lifecycleRules: [
        {
            expiredObjectDeleteMarker: true,
            noncurrentVersionExpiration: Duration.days(30),
        },
    ],
});
bucket.grantRead(new ArnPrincipal(arn:aws:iam::XXXXXXXXXX:role/x-account-role), 's3-prefix/*');

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.180.0

AWS CDK CLI version

2.1016.1

Node.js Version

20

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi @AaronLeon

{
  "Action": [
    "s3:GetBucket*",
    "s3:GetObject*",
    "s3:List*"
  ],
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789012:role/test-role"
  },
  "Resource": [
    {
      "Fn::GetAtt": ["TestBucket560B80BC", "Arn"]
    },
    {
      "Fn::Join": ["", [
        {"Fn::GetAtt": ["TestBucket560B80BC", "Arn"]},
        "/test-prefix/*"
      ]]
    }
  ]
}

I believe the risk you mentioned is this allows the principal to List all objects in the bucket including the ones at the root level though they can't get them.

Which means

✅ CAN:

• List all objects in the bucket
• Get objects under test-prefix/*

❌ CANNOT:

• Get objects at the root level
• Get objects in other prefixes

The issue is about listing visibility being too broad, not about the ability to get objects outside the intended prefix.

Is it correct?

[GavinZZ]

Thanks for bringing this up!

We do consider this an information disclosure issue because the current permissions allow listing all object keys in the bucket root and other prefixes, even though object content access is limited to the specified prefix.

While this isn’t a high-impact security vulnerability (no direct access to object data outside the allowed prefix), exposing object names and metadata could reveal sensitive information about your bucket’s contents and structure.

For better security hygiene, we recommend scoping the permissions yourself for this use case for now. We agree this is something that should be fixed and improved in the policy or update the README and docstring to correctly describe the behaviour of the grant method call.

Thanks again for the report! Happy to help with any follow-up.

[GavinZZ]

Upon further investigation, we notice that to list objects under a specific prefix in an S3 bucket, you need

1. Permissions on the bucket level for ListBucket action
2. Permission on the object level for the specific prefix

This means that we cannot change this behaviour. I think the best way forward would be updating our documentation (README and docstring on grantRead and grantWrite method) to explain this limitation and behavior. I'll kick off a PR to update the documentation for this.

The best way to solve this issue is to use S3 prefix condition keys if you do not want to enable list operation at the bucket level. See this page for an example https://github.com/awsdocs/amazon-s3-developer-guide/blob/master/doc_source/amazon-s3-policy-keys.md#example-2-getting-a-list-of-objects-in-a-bucket-with-a-specific-prefix.