By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

User is able to List all AWS S3 buckets,though he cannot access it

0

I have created the user who can access particular S3 bucket.But he is able to list all of S3 bucket. Why is that so ? He must list only those S3 bucket for which he has the access

Why cannot he list only those bucket for which he has access granted ?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceStorageAWS IAM Identity CenterIAM Policies
Language
English
Dhaval
asked 9 months ago1243 views
3 Answers
0
Accepted Answer

Hello,

Unfortunately, with the way the S3 permissions are structured they only allows a user to be granted access to either list all buckets within the S3 account or not be able to list any buckets at all. This is because to list buckets within S3 we grant the permission s3:ListAllMyBuckets permission, however, this also requires the policy resource to be "arn:aws:s3:::*" . If the resource is a specific bucket then an AccessDenied error will occur, and the user will not be able to list any of the buckets within the S3 account. Instead if you would just like to grant access to one bucket and its objects you can remove the s3:ListAllMyBuckets permission and grant the S3 permission s3:ListBucket and have the policy resource listed as "arn:aws:s3:::BucketName" . This way the user can only access the specific bucket. Add s3:PutObject and s3:GetObject permissions to modify contents of specific bucket if needed. For further reference take a look at this doc to grant a user Amazon S3 console access to only a certain bucket or folder.

AWS
Maya Pillarisetti
answered 9 months ago
profile picture
EXPERT
Sedat Salman
reviewed 6 months ago
profile pictureAWS
EXPERT
Brettski-AWS
reviewed 9 months ago
0

Yea,this is fine. Issue is,we do not want user to List all buckets,instead list only the permitted bucket

Dhaval
answered 9 months ago
0

It is hard to tell without looking at IAM policy attached to the user. Probably, you can check what permissions are granted to the user. If we want to restrict the user to a single bucket, please refer the sample policy below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::SAMPLE-BUCKET"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::SAMPLE-BUCKET/*"
    }
  ]
}

If we want to allow the user to list all buckets, see the sample IAM policy below. The actions s3:ListAllMyBuckets and s3:GetBucketLocation will grant the user to list all buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::SAMPLE-BUCKET"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": ["arn:aws:s3:::SAMPLE-BUCKET/*"]
    }
  ]
}
profile picture
Swathi P
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content