List contents of buckets

Question

Good afternoon all,  
  
I'm quite new to IAM and policy writing so any help would be appreciated.  
  
Basically i would like to give one of our IAM users access to list the bucket contents but they get "An error occurred (access denied) when calling the ListBuckets operation: Access Denied  
  
This is my policy, what is wrong?  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Effect": "Allow",  
            "Action": \[  
                "s3:PutObject",  
                "s3:GetObject",  
                "s3:DeleteObjectVersion",  
                "s3:PutObjectVersionAcl",  
                "s3:ListBucket",  
                "s3:DeleteObject",  
                "s3:PutObjectAcl"  
            ],  
            "Resource": \[  
                "arn:aws:s3:::Bucketname"  
            ]  
        }  
    ]  
}  
Thanks  
Simon

Answer

Hi Simon,  
  
The error "An error occurred (access denied) when calling the ListBuckets operation: Access Denied" would occur if your user does not have permission to view all the S3 buckets in your account. "ListBuckets" is the name of the API call that is made to list all S3 buckets. The corresponding permission to request this API is "s3:ListAllMyBuckets". Therefore, if your user requires access to view all buckets in your account, or they are accessing the S3 console, you will have to add the "s3:ListAllMyBuckets" to the IAM user's policy.   
  
While framing a policy, it is also important to note that some actions support resource-level permissions and some do not. For example, "s3:ListAllMyBuckets" does not support resource-level permissions and you must specify all resources ("*") for this permission. On the other hand, "s3:ListBucket" which is the permission required to list the contents in your bucket, requires you to specify a bucket as the resource. Permissions like "s3:PutObject" and "s3:GetObject" are object-level permissions, and therefore, you must specify an object as the resource. To get a better understanding of which S3 action supports which resource, you can refer to the following link (It also acts as a handy guide while framing policies):  
  
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html   
  
So in this case, the correct policy would look as follows:  
  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "ObjectPermissions",  
            "Effect": "Allow",  
            "Action": \[  
                "s3:PutObject",  
                "s3:GetObject",  
                "s3:DeleteObjectVersion",  
                "s3:PutObjectVersionAcl",  
                "s3:DeleteObject",  
                "s3:PutObjectAcl"  
            ],  
            "Resource": "arn:aws:s3:::Bucketname/*"  
        },  
        {  
            "Sid": "ListBucketContents",  
            "Effect": "Allow",  
            "Action": "s3:ListBucket",  
            "Resource": "arn:aws:s3:::Bucketname"  
        },  
        {  
            "Sid": "ListAllBuckets",  
            "Effect": "Allow",  
            "Action": "s3:ListAllMyBuckets",  
            "Resource": "*"  
        }  
    ]  
}  
  
With this policy attached, the user will have access to list all S3 buckets in your account but will be able to list the contents of only the specified bucket. The user will also be able to upload, download and delete objects from the specified bucket.   
  
Hope this helps :)

Answer

Thank you so much, that has resolved my problem.

List contents of buckets

관련 콘텐츠