By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cross account access single s3 buckets without listing all buckets to another account

0

Hello

By using following iam policy i have set cross account access to single s3 buckets but it will show all buckets list to another account rather that show only single bucket which i want to share.

Action "s3:ListAllMyBuckets" will list all buckets to another account but if i am not include this action in iam policy it show me error

"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::AccountABucketName"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::AccountABucketName/*"
    }
]

}

help me in this query

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementStorageIAM Policies
Language
English
rePost-User-0457294
asked 2 years ago655 views
1 Answer
0

You will have to remove the s3:ListAllMyBuckets permission to prevent the buckets being shown as per https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/

Is the error being returned when attempting to modify the IAM policy or when viewing the S3 console?

lp901
answered 2 years ago
  • rePost-User-0457294
    2 years ago

    Yes, i returned to following error when viewing s3 console through login iam user

    You don't have permissions to list buckets After you or your AWS administrator have updated your permissions to allow the s3:ListAllMyBuckets action, refresh this page.

  • lp901
    2 years ago

    I ran into that before as the S3 console needs the ListAllBuckets permission to work. You can then use the ListBucket permission like you have done above to prevent the requester from being able to actually see the files in other buckets but sadly from when I ran into this issue in the past I could find no way to show them only the buckets they had access to via the S3 console.

  • rePost-User-0457294
    2 years ago

    And how to prevent my client if i am sharing iam user credentials with my clients who have some knowledge of aws and he try to access bucket through direct account login aws url https://us-east-1.console.aws.amazon.com/ instead of given url of bucket https://s3.console.aws.amazon.com/s3/buckets/mybucket-name

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content