- Newest
- Most votes
- Most comments
Hello,
Unfortunately, with the way the S3 permissions are structured they only allows a user to be granted access to either list all buckets within the S3 account or not be able to list any buckets at all. This is because to list buckets within S3 we grant the permission s3:ListAllMyBuckets
permission, however, this also requires the policy resource to be "arn:aws:s3:::*"
. If the resource is a specific bucket then an AccessDenied error will occur, and the user will not be able to list any of the buckets within the S3 account.
Instead if you would just like to grant access to one bucket and its objects you can remove the s3:ListAllMyBuckets
permission and grant the S3 permission s3:ListBucket
and have the policy resource listed as "arn:aws:s3:::BucketName"
. This way the user can only access the specific bucket. Add s3:PutObject
and s3:GetObject
permissions to modify contents of specific bucket if needed.
For further reference take a look at this doc to grant a user Amazon S3 console access to only a certain bucket or folder.
Yea,this is fine. Issue is,we do not want user to List all buckets,instead list only the permitted bucket
It is hard to tell without looking at IAM policy attached to the user. Probably, you can check what permissions are granted to the user. If we want to restrict the user to a single bucket, please refer the sample policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::SAMPLE-BUCKET"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::SAMPLE-BUCKET/*"
}
]
}
If we want to allow the user to list all buckets, see the sample IAM policy below. The actions s3:ListAllMyBuckets
and s3:GetBucketLocation
will grant the user to list all buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::SAMPLE-BUCKET"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::SAMPLE-BUCKET/*"]
}
]
}
Relevant content
- Accepted Answerasked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago