How to limit access to only single S3 bucket
I was recently in a situation where an team wanted to allow someone access to their bucket in our account (from Web Console) but wanted to hide all other buckets. I thought this could be done with some sort of "Deny-All-Except-Condition" policy, but I found that this was harder than anticipated. First of all, I couldn't find a conditional statement that matches against bucket name or bucket tag. There are, however, conditional policy for both prefix string or object tag.So the below is the best I could do and met the team half way. The below policy permits the user to List all bucket names but they cannot browse into any buckets. And grant user full access to one bucket. The "ListAllMyBuckets" is required, otherwise the user can't use S3 feature from AWS Web Console.
This is a IAM Policy that I attached to the IAM User.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1501602649000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1501602649090",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*",
"s3:Put*",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::myBucketName",
"arn:aws:s3:::myBucketName/*"
]
}
]
}
Please share if you got an easier way to limit exposure of S3 buckets to users.
No comments:
Post a Comment