使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

User is able to List all AWS S3 buckets,though he cannot access it

0

I have created the user who can access particular S3 bucket.But he is able to list all of S3 bucket. Why is that so ? He must list only those S3 bucket for which he has the access

Why cannot he list only those bucket for which he has access granted ?

主题
存储安全、身份和合规性
标签
亚马逊简单存储服务 (S3)存储AWS IAM 身份中心IAM 策略
语言
English
Dhaval
已提问 10 个月前1373 查看次数
3 回答
0
已接受的回答

Hello,

Unfortunately, with the way the S3 permissions are structured they only allows a user to be granted access to either list all buckets within the S3 account or not be able to list any buckets at all. This is because to list buckets within S3 we grant the permission s3:ListAllMyBuckets permission, however, this also requires the policy resource to be "arn:aws:s3:::*" . If the resource is a specific bucket then an AccessDenied error will occur, and the user will not be able to list any of the buckets within the S3 account. Instead if you would just like to grant access to one bucket and its objects you can remove the s3:ListAllMyBuckets permission and grant the S3 permission s3:ListBucket and have the policy resource listed as "arn:aws:s3:::BucketName" . This way the user can only access the specific bucket. Add s3:PutObject and s3:GetObject permissions to modify contents of specific bucket if needed. For further reference take a look at this doc to grant a user Amazon S3 console access to only a certain bucket or folder.

AWS
Maya Pillarisetti
已回答 10 个月前
profile picture
专家
Sedat Salman
已审核 7 个月前
profile pictureAWS
专家
Brettski-AWS
已审核 10 个月前
0

Yea,this is fine. Issue is,we do not want user to List all buckets,instead list only the permitted bucket

Dhaval
已回答 10 个月前
0

It is hard to tell without looking at IAM policy attached to the user. Probably, you can check what permissions are granted to the user. If we want to restrict the user to a single bucket, please refer the sample policy below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::SAMPLE-BUCKET"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::SAMPLE-BUCKET/*"
    }
  ]
}

If we want to allow the user to list all buckets, see the sample IAM policy below. The actions s3:ListAllMyBuckets and s3:GetBucketLocation will grant the user to list all buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::SAMPLE-BUCKET"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": ["arn:aws:s3:::SAMPLE-BUCKET/*"]
    }
  ]
}
profile picture
Swathi P
已回答 10 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容