AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

S3 bucket access to specific User without listing all buckets

0

I am trying to figure out how to do something specific. I want to have individual buckets for 3 IAM users(user1, user2, user3). Each user should have access to their own buckets(bucket1,bucket2,bucket3) but only one particular user(user1) should see all three buckets (the bucket related to himself along with the other 2 buckets). I have created IAM policies and bucket policies. The bucket policies is working fine but the IAM policies is not working as expected. The IAM policy is provided below. I added line numbers to specify which line(s) is causing the issue. Notice the "s3:ListAllMyBuckets" on line 6 which is giving access to s3 buckets. With this policy, the user2 can see all three buckets created(his and the other 2), which I don't want. I want the user2 to see only the bucket related to him(bucket2) but if I simply remove lines 4-15(the first permission) to avoid displaying all buckets in the s3, the user2 will not be able to see any buckets, not even his own! FYI, bucket2 is created by user2 and he owns the bucket. What is the fix? How can I change the IAM policy to display his own bucket without viewing other buckets?

1. {
2.   "Version": "2012-10-17",
3.   "Statement": [
4.      {
5.          "Action": [
6.               "s3:ListAllMyBuckets",
7.                "s3:CreateBucket",
8.                "s3:PutEncryptionConfiguration"
9.          ],
10.       "Effect": "Allow",
11.       "Resource": [
12.               "arn:aws:s3:::*"
13.        ]
14.     },
15.    {
16.          "Action": [
17.              "s3:ListBucket",
18.              "s3:GetBucketLocation",
19.              "s3:CreateBucket",
20.           ],
21.           "Effect": "Allow",
22.           "Resource": "arn:aws:s3:::bucket2"
23.   },
24.   {
25.         "Effect": "Allow",
26.         "Action": [
27.               "s3:GetObject",
28.               "s3:PutObject",
29.               "s3:DeleteObject"
30.          ],
31.          "Resource": "arn:aws:s3:::bucket2/*"
32.    }
33.  ]
34.}
주제
보안, 신원 및 규정 준수스토리지
태그
AWS 자격 증명 및 액세스 관리스토리지IAM 정책
언어
English
Jana21
질문됨 2달 전165회 조회
1개 답변
3
수락된 답변

Hello.

To get the list of buckets in the management console, you need the "s3:ListAllMyBuckets" action, but this action cannot be restricted in the resource section, so you cannot restrict it to only specific buckets.
In other words, when displaying the S3 bucket list screen from the management console, it is not possible to display only a specific S3 bucket.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
a

I thought that if the "s3:ListBucket" action etc. restricted the resource section at the bucket level, it would be possible to restrict object viewing, so there would be no problem.

profile picture
전문가
Riku_Kobayashi
답변함 2달 전
profile picture
전문가
Oleksii Bebych
검토됨 2달 전
profile picture
전문가
Gary Mclean
검토됨 2달 전
  • Jana21
    2달 전

    I understand and thank you for your immediate response. Now considering what you have cited, if I make changes where instead of having 3 different buckets, I have 1 bucket with 3 different folders for each user. Can I apply the specific access I was discussing? User1 can see all folders but user2 will see folder2 and user3 folder3. IF this is doable, please guide towards taking these steps. Like if there are any IAM policies or bucket policies. Thank you.

  • Riku_Kobayashi 전문가
    2달 전

    Similar to buckets, it is not possible to list only specific folders or objects. To list objects and folders, the action "s3:ListBucket" is required, and the resource section of this is "bucket*", so it cannot be restricted by object or folder. a

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠