S3 + SSO permission to list a predefined list of buckets.

0

Hello,

I would like to let group of users to see only subset of my account buckets, so they do not try to use these buckets they have no access to.

I looked all over and found no solution, many people experience the same but no definite working setup is available.

The users are using SSO with temporary credentials so they are not available at the account. The ListBuckets API[1] requires s3:ListAllMyBuckets permission which does not accept resource.

Managing bucket ACL per each owner is something that seems a huge overhead to manage, and I could not find how to integrate this into the roles.

Is there any option to apply a filter on the output of ListBucket, preferably to have a filter based on rule permissions.

I thought that the permission to perform s3:GetBucketLocation will be queried per each bucket so that ListBuckets will return only these buckets that the role have permission to locate, this may be s a clean solution.

I will appreciate any hint, how do I return my user roles only pre-defined list of buckets.

Regards, Alon

[1] https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html

1 個回答
0

AWS SSO allows you to define inline policies for permission sets (Doc link). My suggestion would be to use an inline policy on that user group's SSO permission set they get assigned leveraging the s3:ListBucket IAM action with the resource list being the buckets that you want to allow.

It's worth noting that you may need to be creative since there's a character limit (I think it's around 10k) which cannot be altered even by AWS.

已回答 2 年前
  • Thank you @carlo-mencarelli, However, unless I do not understand the s3:ListBucket permission does not filter the list of buckets the user sees. Do you have a working configuration in which you have a, b, c buckets in accounts but aws s3 ls shows only c using s3:ListBucket Regards, Alon

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南