Best IT Recipes

Limit bucket list to specific user

I managed to create a user policy that gives access only to a specific bucket, but after trying everything (including this post: Is there an S3 policy to restrict access to only see / access one bucket? ).

Problem: I cannot limit the list of buckets to one bucket. For a variety of reasons, I don’t want any buckets other than those shown in the listing.

I tried various policies, but to no avail. Here is my last JSON policy that works with operation restrictions but does not list:

{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "NotResource": [ "arn:aws:s3:::acgbu-acg", "arn:aws:s3:::acgbu-acg/*" ] }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::acgbu-acg", "arn:aws:s3:::acgbu-acg/*" ] } ] }

Any help would be greatly appreciated. I'm starting to wonder if this is possible.

+13
amazon-s3 policy
Jul 19 '13 at 0:05
source share
3 answers

It is currently not possible to limit the list of impression buckets to just one bucket.

The AWS console relies on the ListAllMyBuckets action to get a list of buckets owned by the user, but the returned list cannot be limited using the Amazon resource name (or ARN; the only ARN that is allowed for ListAllMyBuckets arn:aws:s3:::* ).

This limitation is not clearly explained in AWS ListAllMyBuckets papers, but ListAllMyBuckets is a service level API call (also called a GET service in the REST API), not a bucket level API and the associated ARN in IAM does not apply to S3 a bucket.

For possible workarounds see this answer in StackOverflow:

+29
Sep 23 '13 at 10:06 on
source share

The free “S3 Browser” (this works in my version 3-7-5) allows users with the appropriate “Add external bucket” permissions for the account, all they need to know is the name of the bucket. This allows them to “see” their bucket and contents (and what has ever been given to them inside this bucket), they will not see any of the other buckets.

To make the bucket “play well” with the behavior of the S3 browser, I propose the following IAM policy for a user or group:

 { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::acgbu-acg" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::acgbu-acg/*" } ] }

This is work, and everything is in order if the user needs to do this only once. But if the buckets your user is accessing change a lot, then this work is not very practical.

+3
Apr 22 '14 at 23:36
source share

I came here to learn how to restrict access to a bucket to one (or a list) of users. Maybe the title of the message is ambiguous?

In any case, it seems that Google is using it, so let it enrich it a bit:
If you need to restrict access to the bucket to some users (users) , follow these steps:


First, get the identifiers of the user to whom you want to grant rights.
This can be achieved with the awscli aws iam list-users command.
These identifiers are as follows: "AIDAIFKYAC9DNJXM2CRD" or "AIDAZ362UEKJCJMFFXCL"
Please comment if it is available in the web console.

After you receive the identifiers that should be granted access, enter the policy in the bucket that you want to protect.
To do this using the web console:
→ Open S3 → Open bucket → Select the “Properties” tab → Click “Change bucket policy”

To apply a policy using awscli, create a file with the contents of the policy and put it in your bucket using this command:
aws s3api put-bucket-policy --bucket NAME_OF_YOUR_BUCKET --policy file:///path/to/policyFile.json
Of course, set YOUR_BUCKET_NAME and the path to your values, BUT DO NOT delete the file: // prefix before your file name


Warning : this deny policy will override the standard "s3 access" that the user may have. This means that you can deny access to your OWN user with this. Use with caution!
I’m even afraid that you might make the bucket completely inaccessible.
Out of curiosity, I tried to access our root user , which I did not provide access to, and actually could not.
Gotta ask for support and hopefully update this answer.

In any case, I'm sure that you will be careful enough, so here is an example of a policy.
Just replace the bucket name with yours and userId with the one you want to allow access to.

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ], "Condition": { "StringNotLike": { "aws:userId": [ "AIDAXAXAXAXAXAXAXAXAX", "AIDAOXOXOXOXOXOOXOXOX", "AIDAXIXIXIXIXIXIXIXIX" ] } } } ] }

For something more specific, or if you want to use roles instead of users, see this AWS Post, which explains in detail how to restrict access to buckets

Hope this helps

+1
Mar 08 '17 at 17:45
source share


More articles:


All Articles