By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[BUG REPORT] Impossible to rename object in S3 Bucket without ListAllMyBuckets

0

I've been searching the web and mostly amazon docs all day and couldn't find an answer to this issue.

I have (root user) several Buckets in AWS S3.

I've assigned a new bucket to a new IAM user and I don't want him to see all the buckets names under: https://s3.console.aws.amazon.com/s3/buckets (He can access his bucket at: https://s3.console.aws.amazon.com/s3/buckets/HISBUCKETNAME)

However, I also want the user to be able to rename file in his bucket. This is impossible if I remove ListAllMyBuckets from his IAM policy.

So in the working user IAM policy I have

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:DeleteObjectVersion"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

Unfortunately now the users can see all the buckets in https://s3.console.aws.amazon.com/s3/buckets (though he doesn't have access to them).

Once I remove "s3:ListAllMyBuckets", the user get access denied when trying to rename a file in his bucket.

Is there a way to allow the user to rename a file in his bucket without him having access to the list of all the bucket names (I.E. without ListAllMyBuckets)?

Thanks

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementStorage
Language
English
profile picture
Guy
asked 10 months ago924 views
1 Answer
1

You're not the first person that has seen this https://repost.aws/questions/QUPE1n7zbjTs-H4twQ3kh29w/renaming-object-in-s3-console-fails-if-listallmybuckets-permission-is-not-provided

I've created exactly the same setup and am seeing the same behaviour - sign in as IAM user with an attached policy that has s3:ListAllMyBuckets and confirm the user can login on console, navigate to bucket, rename an object - all good.

Remove s3:ListAllMyBuckets and the user can navigate to the bucket (using the the URL to get there direct) but can't rename the object.

Enter image description here

Notice the complaint isn't about the absence of s3:ListAllMyBuckets but is instead about s3:PutObject (which the user already has).

And just to add more confusion, setup an API keypair and try it through the CLI and it works when the policy doesn't have s3:ListAllMyBuckets:

$ aws s3 mv s3://[TEMP_TEST_BUCKET]/foo.png s3://[TEMP_TEST_BUCKET]/bar.png
move: s3://[TEMP_TEST_BUCKET]/foo.png to s3://[TEMP_TEST_BUCKET]/bar.png
$

Can you log a bug about this? At the very least the error message (in red in the AWS Console) needs to refer to the absence of s3:ListAllMyBuckets and not (wrongly) s3:PutObject. And hopefully this will prompt the followup question about why s3:ListAllMyBuckets is needed for a rename operation in the first place (but only in the console, not the CLI)

profile picture
EXPERT
Steve_M
answered 10 months ago
  • Guy
    10 months ago

    I will log a bug report. Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content