AWS IAM Permissions for GetObjects in ONE S3 Bucket not working

0
votes

I am trying to write a permission for a user to just be able to access the objects in ONE specific bucket.

I currently have:

{
  "Version": "2012-10-17",
  "Statement":[{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": ["arn:aws:s3:::test",
                 "arn:aws:s3:::test/*"]
    }
  ]
}

but the user can still access ALL my other buckets. Note that my other buckets don't have policy... I don't think it should matter. I just want that user's IAM to be allowed to that specific bucket.

2
amazon-web-servicesamazon-s3amazon-iam
What are the permissions (under Bucket Properties in the S3 console) for your other buckets? By default buckets are limit access to the owner, so unless you've opened the permissions then the other user should have access.Ben Whaley
All my other buckets have only the owner in the Permissions Grantee list. But I thought that because I say to that IAM User "You can only access THIS bucket" he wouldn't be able to access the other ones...abisson
Does the bucket need a policy as well? I thought that since I declared my IAM user to have access to only bucket, then it still wouldn't be able to access the other buckets, even though these other buckets don't have a bucket policy...abisson
Yes, that's true, he should only be able to access the bucket you specified in the IAM policy you attached to that user. In the IAM console, click on that user, then click the permissions tab. Do you see only the policy you mentioned? Do you see any other group or user policies there?Ben Whaley
No, the bucket doesn't need a policy.Ben Whaley

2 Answers

2
votes

Amazon S3 is one of the most complex services due to offering three different permission mechanisms, which can all applied simultaneously, see e.g. IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3 Resources) for a nice writeup of the subject matter, in particular, section How does authorization work with multiple access control mechanisms?:

Whenever an AWS principal issues a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

The behavior you experience indicates some misconfiguration somewhere, i.e. you likely allow access to the bucket at a level you might not be aware of - concerning Amazon IAM alone, the IAM Policy Simulator is an excellent tool to debug such situations and I highly suggest to verify your configuration there first.

However, while this is sufficient for most services, it doesn't cover the other two permission mechanisms for S3 as outlined above, but would at least isolate the analysis already.

0
votes

Do try the following IAM user policy which allow full access to only a single bucket.

Note that the 'list all buckets' is required but the user won't be able to access other buckets than the one you specified in the policy.

{
   "Statement":[
  {
     "Effect":"Allow",
     "Action":[
        "s3:ListAllMyBuckets"
     ],
     "Resource":"arn:aws:s3:::*"
  },
  {
     "Effect":"Allow",
     "Action":[
        "s3:ListBucket",
        "s3:GetBucketLocation"
     ],
     "Resource":"arn:aws:s3:::examplebucket"
  },
  {
     "Effect":"Allow",
     "Action":[
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
     ],
     "Resource":"arn:aws:s3:::examplebucket/*"
  }
   ]
}