Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

User is able to List all AWS S3 buckets,though he cannot access it

0

I have created the user who can access particular S3 bucket.But he is able to list all of S3 bucket. Why is that so ? He must list only those S3 bucket for which he has the access

Why cannot he list only those bucket for which he has access granted ?

Temas
AlmacenamientoSeguridad, identidad y cumplimiento
Etiquetas
Amazon Simple Storage ServiceAlmacenamientoCentro de identidad de AWS IAMPolíticas de IAM
Idioma
English
Dhaval
preguntada hace 10 meses1421 visualizaciones
3 Respuestas
0
Respuesta aceptada

Hello,

Unfortunately, with the way the S3 permissions are structured they only allows a user to be granted access to either list all buckets within the S3 account or not be able to list any buckets at all. This is because to list buckets within S3 we grant the permission s3:ListAllMyBuckets permission, however, this also requires the policy resource to be "arn:aws:s3:::*" . If the resource is a specific bucket then an AccessDenied error will occur, and the user will not be able to list any of the buckets within the S3 account. Instead if you would just like to grant access to one bucket and its objects you can remove the s3:ListAllMyBuckets permission and grant the S3 permission s3:ListBucket and have the policy resource listed as "arn:aws:s3:::BucketName" . This way the user can only access the specific bucket. Add s3:PutObject and s3:GetObject permissions to modify contents of specific bucket if needed. For further reference take a look at this doc to grant a user Amazon S3 console access to only a certain bucket or folder.

AWS
Maya Pillarisetti
respondido hace 10 meses
profile picture
EXPERTO
Sedat Salman
revisado hace 7 meses
profile pictureAWS
EXPERTO
Brettski-AWS
revisado hace 10 meses
0

Yea,this is fine. Issue is,we do not want user to List all buckets,instead list only the permitted bucket

Dhaval
respondido hace 10 meses
0

It is hard to tell without looking at IAM policy attached to the user. Probably, you can check what permissions are granted to the user. If we want to restrict the user to a single bucket, please refer the sample policy below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::SAMPLE-BUCKET"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::SAMPLE-BUCKET/*"
    }
  ]
}

If we want to allow the user to list all buckets, see the sample IAM policy below. The actions s3:ListAllMyBuckets and s3:GetBucketLocation will grant the user to list all buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::SAMPLE-BUCKET"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": ["arn:aws:s3:::SAMPLE-BUCKET/*"]
    }
  ]
}
profile picture
Swathi P
respondido hace 10 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante