I'm trying to allow certain users to access object metadata without letting them retrieve the actual object in S3. Unfortunately, it seems that both HeadObject and GetObject share the same permissions, which makes it impossible to do this through bucket or IAM policies. Am I the only one dealing with this issue?
4 Answers
You can't split them directly in S3 since metadata is still considered data. A better approach would be to create an API layer on top of S3, where you can implement custom authentication and authorization logic. You could use API Gateway to do this and manage permissions through IAM. Just remember, S3 isn't designed for user-level service needs, so pushing it in that direction might cause complications.
As far as I know, you can't achieve this directly with S3. Both actions share the same permissions, so it's not possible to separate them without an additional layer.
If your goal is for someone to check metadata without accessing the file, consider using QuickSight dashboards to display that metadata in a controlled manner.
What’s the actual reason behind needing metadata access without file access? It seems like a unique case.
In a bank, for example, you might want engineers to monitor traffic without seeing sensitive transactions.
It’s like having a security person check labels on boxes— they inform someone else if they see something off without accessing the contents.
That totally makes sense! Having that API layer sounds like a solid plan.