By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 bucket access to specific User without listing all buckets

0

I am trying to figure out how to do something specific. I want to have individual buckets for 3 IAM users(user1, user2, user3). Each user should have access to their own buckets(bucket1,bucket2,bucket3) but only one particular user(user1) should see all three buckets (the bucket related to himself along with the other 2 buckets). I have created IAM policies and bucket policies. The bucket policies is working fine but the IAM policies is not working as expected. The IAM policy is provided below. I added line numbers to specify which line(s) is causing the issue. Notice the "s3:ListAllMyBuckets" on line 6 which is giving access to s3 buckets. With this policy, the user2 can see all three buckets created(his and the other 2), which I don't want. I want the user2 to see only the bucket related to him(bucket2) but if I simply remove lines 4-15(the first permission) to avoid displaying all buckets in the s3, the user2 will not be able to see any buckets, not even his own! FYI, bucket2 is created by user2 and he owns the bucket. What is the fix? How can I change the IAM policy to display his own bucket without viewing other buckets?

1. {
2.   "Version": "2012-10-17",
3.   "Statement": [
4.      {
5.          "Action": [
6.               "s3:ListAllMyBuckets",
7.                "s3:CreateBucket",
8.                "s3:PutEncryptionConfiguration"
9.          ],
10.       "Effect": "Allow",
11.       "Resource": [
12.               "arn:aws:s3:::*"
13.        ]
14.     },
15.    {
16.          "Action": [
17.              "s3:ListBucket",
18.              "s3:GetBucketLocation",
19.              "s3:CreateBucket",
20.           ],
21.           "Effect": "Allow",
22.           "Resource": "arn:aws:s3:::bucket2"
23.   },
24.   {
25.         "Effect": "Allow",
26.         "Action": [
27.               "s3:GetObject",
28.               "s3:PutObject",
29.               "s3:DeleteObject"
30.          ],
31.          "Resource": "arn:aws:s3:::bucket2/*"
32.    }
33.  ]
34.}
Topics
Security, Identity, & ComplianceStorage
Tags
AWS Identity and Access ManagementStorageIAM Policies
Language
English
Jana21
asked 2 months ago147 views
1 Answer
3
Accepted Answer

Hello.

To get the list of buckets in the management console, you need the "s3:ListAllMyBuckets" action, but this action cannot be restricted in the resource section, so you cannot restrict it to only specific buckets.
In other words, when displaying the S3 bucket list screen from the management console, it is not possible to display only a specific S3 bucket.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
a

I thought that if the "s3:ListBucket" action etc. restricted the resource section at the bucket level, it would be possible to restrict object viewing, so there would be no problem.

profile picture
EXPERT
Riku_Kobayashi
answered 2 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 2 months ago
profile picture
EXPERT
Gary Mclean
reviewed 2 months ago
  • Jana21
    2 months ago

    I understand and thank you for your immediate response. Now considering what you have cited, if I make changes where instead of having 3 different buckets, I have 1 bucket with 3 different folders for each user. Can I apply the specific access I was discussing? User1 can see all folders but user2 will see folder2 and user3 folder3. IF this is doable, please guide towards taking these steps. Like if there are any IAM policies or bucket policies. Thank you.

  • Riku_Kobayashi EXPERT
    2 months ago

    Similar to buckets, it is not possible to list only specific folders or objects. To list objects and folders, the action "s3:ListBucket" is required, and the resource section of this is "bucket*", so it cannot be restricted by object or folder. a

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content