AWS-IAM: Giving access to a single bucket

0
votes

I have created a group and I added new user to this group then I have created the following IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*"
    }
  ]
}

I got the above policy from :

http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html

Basically, I want to grant permission just for one specific bucket but the above policy doesn't work. The user still can add, delete , modify files from another buckets.

Thanks!

3
amazon-iam

3 Answers

0
votes

This policy definitely should work - user can only add/delete/modify the EXAMPLE-BUCKET-NAME bucket.

Double check your Group and User, ensure that there are no other Managed or Inline policies attached to it.

0
votes

Try using IAM roles for S3 buckets and roles for each user. That should restrict write access to the bucket.

Refer this link - https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

Check the part where the link talks about granting access.

Hope that helps!

0
votes

For Googlers:

S3 API and IAM actions naming is completely blew up:

  • ListBucket is an deprecate SOAP API that is now renamed to ListObjects
  • ListBuckets is an API that list all buckets owned by YOU THE API CALLER ACCOUNT
  • ListBucket API is governed by, you may guess, s3:ListBucket IAM action
  • ListBuckets API is governed by...suprise❗️ s3:ListAllMyBuckets IAM action
  • ListBuckets returns an object named...surprise❗️ <ListAllMyBucketsResult>

I could not find a good way to describe my feelings now.

It may be a good habit to keep old APIs or wrongly named APIs forever for best backward compatibility, but AWS should put consistency first when creating new APIs.

So to put it short: ListBuckets = s3:ListAllMyBuckets, forget about s3:ListBucket!

That being said, as of 2021/01 there is NO WAY to:

  • List a limit number of buckets owned by you, because ListAllMyBuckets, as its name suggests, accepts only * as valid resource
  • List any bucket not owned by you, because there is no such API or parameter
  • Get creation date of any bucket not owned by you because ListBuckets is the only way to get this info