使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

S3 bucket access to specific User without listing all buckets

0

I am trying to figure out how to do something specific. I want to have individual buckets for 3 IAM users(user1, user2, user3). Each user should have access to their own buckets(bucket1,bucket2,bucket3) but only one particular user(user1) should see all three buckets (the bucket related to himself along with the other 2 buckets). I have created IAM policies and bucket policies. The bucket policies is working fine but the IAM policies is not working as expected. The IAM policy is provided below. I added line numbers to specify which line(s) is causing the issue. Notice the "s3:ListAllMyBuckets" on line 6 which is giving access to s3 buckets. With this policy, the user2 can see all three buckets created(his and the other 2), which I don't want. I want the user2 to see only the bucket related to him(bucket2) but if I simply remove lines 4-15(the first permission) to avoid displaying all buckets in the s3, the user2 will not be able to see any buckets, not even his own! FYI, bucket2 is created by user2 and he owns the bucket. What is the fix? How can I change the IAM policy to display his own bucket without viewing other buckets?

1. {
2.   "Version": "2012-10-17",
3.   "Statement": [
4.      {
5.          "Action": [
6.               "s3:ListAllMyBuckets",
7.                "s3:CreateBucket",
8.                "s3:PutEncryptionConfiguration"
9.          ],
10.       "Effect": "Allow",
11.       "Resource": [
12.               "arn:aws:s3:::*"
13.        ]
14.     },
15.    {
16.          "Action": [
17.              "s3:ListBucket",
18.              "s3:GetBucketLocation",
19.              "s3:CreateBucket",
20.           ],
21.           "Effect": "Allow",
22.           "Resource": "arn:aws:s3:::bucket2"
23.   },
24.   {
25.         "Effect": "Allow",
26.         "Action": [
27.               "s3:GetObject",
28.               "s3:PutObject",
29.               "s3:DeleteObject"
30.          ],
31.          "Resource": "arn:aws:s3:::bucket2/*"
32.    }
33.  ]
34.}
主题
安全、身份和合规性存储
标签
AWS 身份和访问权限管理存储IAM 策略
语言
English
Jana21
已提问 2 个月前162 查看次数
1 回答
3
已接受的回答

Hello.

To get the list of buckets in the management console, you need the "s3:ListAllMyBuckets" action, but this action cannot be restricted in the resource section, so you cannot restrict it to only specific buckets.
In other words, when displaying the S3 bucket list screen from the management console, it is not possible to display only a specific S3 bucket.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
a

I thought that if the "s3:ListBucket" action etc. restricted the resource section at the bucket level, it would be possible to restrict object viewing, so there would be no problem.

profile picture
专家
Riku_Kobayashi
已回答 2 个月前
profile picture
专家
Oleksii Bebych
已审核 2 个月前
profile picture
专家
Gary Mclean
已审核 2 个月前
  • Jana21
    2 个月前

    I understand and thank you for your immediate response. Now considering what you have cited, if I make changes where instead of having 3 different buckets, I have 1 bucket with 3 different folders for each user. Can I apply the specific access I was discussing? User1 can see all folders but user2 will see folder2 and user3 folder3. IF this is doable, please guide towards taking these steps. Like if there are any IAM policies or bucket policies. Thank you.

  • Riku_Kobayashi 专家
    2 个月前

    Similar to buckets, it is not possible to list only specific folders or objects. To list objects and folders, the action "s3:ListBucket" is required, and the resource section of this is "bucket*", so it cannot be restricted by object or folder. a

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容