发表新帖
发表新帖

Is there an S3 policy for limiting access to only see/access one bucket?

前端 未结
关注
23 742
孤城傲影
孤城傲影 2020-11-29 15:08

I have a simple bucket that looks like images.mysite.com on my S3 and other buckets containing backups, etc.

I want to allow a specific user to be able

相关标签:
23条回答
  • 抹茶落季
    2020-11-29 16:04

    As it has been well discussed above, listing only one bucket on console is not possible. But if S3 bucket's access is attached to an IAM, IAM can directly access the bucket if URL to bucket is available. S3 bucket url will be like:

    https://s3.console.aws.amazon.com/s3/buckets/BucketName

    Where BucketName is name of bucket IAM has access to

    0 讨论(0)
  • 灰色年华
    2020-11-29 16:05

    Our use case: Provide backup space for clients of our cloud application that can be accessed by the clients directly using common S3 tools. Of course, no client should see what other clients have.

    As cloudberryman explained, "You can either list all buckets or none.", so we have to come up with a work around. Background:

    Granting ListAllMyBuckets rights to the user is needed so that AWS S3 console or S3Fox connect without an error message. But ListAllMyBuckets lists all buckets, regardles of the resources assigned (actually, only arn:...:::* works). That's a serious bug, if you ask me. Btw. denying ListBucket for all buckets does not prevent them from being listed, as ListBucket grants rights to list the bucket's content.

    There are 3 possiblities I considered as work around. I chose the last one.

    (1) use cryptic bucket names, e.g. GUIDs

    Advantage: easy to set up

    Disadvantage: difficult to manage, especially for the client. (imagine to find a specific GUID amoung thousands of others.) Also shows of the number of buckets = number of clients using the backup service.

    (2) use one bucket with client specific folders

    This is how Amazon suggests by their S3/IAM examples to provide space to access only by certain users or user groups. See: AWS Example IAM Policies

    Advantage: fairly easy to set up, goes with AWS ideas

    Disadvantage: forces to make the existance of all buckets public, so the client can find their "home" bucket. AWS accounting provides statistics of bucket usage, but not of folder usage, which makes it difficult to calculate cost by client.

    (3) don't grant access right for ListAllMyBuckets

    Advantage: you get what you want: clients can't see other client's buckets

    Disadvantage: the client can't see his or her own bucket. S3Browser comes with a nice "cannot do" message and asks for the bucket name to enter. S3Fox throws an error message when connecting to the root, but allows direct navigation to the client's bucket if the bucket name is known. Amazon S3 console does not work at all.

    Hope this helped to handle S3 IAM as you need it.

    0 讨论(0)
  • 清歌不尽
    2020-11-29 16:06

    There is easy way or workaround to do this using AWS Organizations. AWS organization allows you to have multiple user accounts. Your main account will can have multiple AWS accounts(Sub) and what ever services(s3/EC2/*) are added in whichever AWS accounts only those resources will be visible.

    Please refer https://aws.amazon.com/blogs/aws/aws-organizations-policy-based-management-for-multiple-aws-accounts/ https://aws.amazon.com/organizations/

    Organization On My account page

    0 讨论(0)
  • 礼貌的吻别
    2020-11-29 16:06

    The solution bellow worked for me. I wanted a policy to grant access to a specific user my_iam_user on a specific bucket my-s3-bucket.

    This policy allow my user to list, delete, get e put files on a specific s3 bucket.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/my_iam_user"
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::my-s3-bucket"
        },
        {
            "Sid": "AddDeleteFiles",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/my_iam_user"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my-s3-bucket/*"
        }
    ]
}
    0 讨论(0)
  • 半阙折子戏
    2020-11-29 16:12

    Try this policy. also take into account that there no way to let the user list only selected bucket. You can either list all buckets or none. 

    {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:PutBucketAcl",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::your_bucket_here/*",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*",
            "Condition": {}
        }
    ]
}
    0 讨论(0)
 看不清?
提交回复
热议问题