I've been able to generate a user policy that only gives access to a specific bucket, however after trying everything (including this post: Is there an S3 policy for limiting access to only see/access one bucket?).
The problem: I am unable to restrict the listing of the buckets down to just one bucket. For a variety of reasons, I do not want the listing to show any buckets other than the one specified.
I've tried a variety of policies, to no avail. Here's my latest policy JSON which is working as far as restricting operations, but not listing:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"NotResource": [
"arn:aws:s3:::acgbu-acg",
"arn:aws:s3:::acgbu-acg/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::acgbu-acg",
"arn:aws:s3:::acgbu-acg/*"
]
}
]
}
Any help would be greatly appreciated. I'm beginning to wonder if it's even possible.
You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.
It is not currently possible to restrict the list of buckets to show only one bucket.
The AWS console relies on the ListAllMyBuckets
action to get the list of buckets owned by the user, but the returned list can not be restricted by using an Amazon Resource Name (or ARN; the only ARN that's allowed for ListAllMyBuckets
is arn:aws:s3:::*
).
This limitation isn't clearly explained in the official AWS docs, but ListAllMyBuckets
is a service level API call (it's also called GET Service in the REST API), not a bucket level API call and its associated ARN in the IAM policy refers to the S3 service an not to a specific bucket.
For possible workarounds, see this answer on StackOverflow:
The free "S3 Browser" (this works on my version 3-7-5) allows users with the proper permissions to "Add External Bucket" for the account, all they need to know is the name of the bucket. This allows them to "see" their bucket and the contents (and what ever abilities they've been given inside that bucket), they won't see any of the other buckets.
To make the bucket "play nice" with the S3 Browser behavior, I suggest the following IAM Policy for the User or Group:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::acgbu-acg"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::acgbu-acg/*"
}
]
}
It's a work around, and it's okay if the user only needs to do it once. But if the buckets your user is accessing are changing around a lot then this work around isn't very practical.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With