AWS IAM S3 Policy

0
votes

I currently have AWS Policy that grants a user account access to create new users with limited access to IAM and S3

How can I reduce the permission of this user further so the user is unable to list all the S3 buckets on my account 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:PutUserPolicy",
                "iam:GetUser",
                "iam:CreateUser",
                "iam:CreateAccessKey"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": "*"
        }
    ]
}
1
amazon-web-servicesamazon-s3amazon-iam
Well, clearly this policy allows all S3 actions on all resources. What problem are you having reducing this level of access?jarmod
I can't get it to work after limiting the accesszaddyn00b
I need to grant this user the ability to only create new bucket but restrict the ability to list all the buckets on my accountzaddyn00b
You can modify the policy to only allow s3:CreateBucket but that doesn't seem all that useful. How will they access the bucket after they create it, for example? Have you thought through what these users will actually need?jarmod
This seems like a duplicate of a common question/desire. How do I let people list buckets but only see the ones they are allowed to see? The answer is that you can't. See this answer to a similar question on the workarounds.Jason Wadsworth

1 Answers

0
votes

It is not possible to limit the list of buckets presented to a user. Either they have permission to list all the buckets in an account, or they do not have permission to list any buckets.

The ability to list buckets is separate to the ability to list the contents of a bucket.