Is there an S3 policy for limiting access to only see/access one bucket?
I have a simple bucket that looks like images.mysite.com on my S3 and other buckets containing backups, etc.
I want to allow a specific user to be able
-
It is not possible to provide access to the S3 Console without granting the
ListAllMyBucketspermission.In my case (and perhaps yours as well, future reader) an acceptable alternative is to redirect users on sign in directly to the bucket you would like them to see.
To accomplish this, append the following to your IAM sign in url:
/s3/?bucket=bucket-nameFull Sign-in URL (replace your-alias and bucket-name):
https://your-alias.signin.aws.amazon.com/console/s3/?bucket=bucket-nameIAM Policy (replace bucket-name):
{ "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] }For more information on how to create bucket specific permissions for users, read this blog: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/
讨论(0) -
Confused about why no answer was checked?
Let's break down each policy statement from above solutions:
This policy statement from applies to the contents of the bucket, but not the buck itself. This is probably not what the question asked for, because you can't see what's in the bucket.
{ "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:ListBucket", "s3:GetBucketAcl", "s3:PutBucketAcl", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::your_bucket_here/*", "Condition": {} }This two statement policy derived from gives readonly access to the bucket at (
arn:aws:s3:::your_bucket_here/) readonly, but still allows CRUD ops on the bucket's contents (arn:aws:s3:::your_bucket_here/*).{ "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::your_bucket_here", "Condition": {} }, { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectAclVersion" ], "Resource": "arn:aws:s3:::your_bucket_here/*", "Condition": {} }However, the policy includes the statement below, which allows a user see all the buckets at the endpoint. This is probably not what the question asked for.
{ "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*", "Condition": {} }However, the above very useful if you use a client that browsers an S3 store. If your client accesses the store and not the bucket directly, so you need access to the list of buckets at the root.
讨论(0) -
Probably the simplest use case:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::bucket-name"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::bucket-name/*"] } ] }讨论(0) -
While it's not possible to restrict s3:ListAllMyBuckets action to specific buckets, as for workaround you can send them Console URL for specific bucket, e.g.
https://s3.console.aws.amazon.com/s3/buckets/BUCKET_NAME/
Source: Restricting list of S3 buckets from the S3 Console
In order to do that, you'll need to specify the following policy document for given user or group:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::my-bucket-1", "arn:aws:s3:::my-bucket-2" ] }, { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": [ "arn:aws:s3:::my-bucket-1/*", "arn:aws:s3:::my-bucket-2/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" } ] }Where
my-bucket-1andmy-bucket-2are your buckets to give the read and write access.Related:
- Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
- Restrict List of Buckets for a Specific User
- How to provide a user to access only a particular bucket in AWS S3?
- Specifying Resources in a Policy & Permissions Related to Bucket Operations
讨论(0) -
This worked perfect for me . User can upload, Download and get list of files but will not able to see files from other bucket.
{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:ListBucket", "s3:GetBucketAcl", "s3:PutBucketAcl", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::mybucketname/*", "Condition": {} }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*", "Condition": {} }, { "Effect": "Deny", "Action": [ "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": "arn:aws:s3:::mybucketname/*", "Condition": {} } ] }讨论(0) -
I am interpreting this question as: "Can I allow access to one bucket where any other buckets will not be accessible and thus invisible." Because, showing the name of the bucket to which no access was granted still equates to information leakage.
And the correct answer is no. The required permission is ListAllMyBuckets which will allow the user to see ALL buckets. Leaving out this permission will make the console unusable.
讨论(0)
加载中...
- 热议问题