How can SSO users in a billing group access s3 buckets



required: Enable s3 bucket access for a specific permission set

1.I have an SSO role in IAM for Billing. This is an AWS managed SSO Role and gives access to Billing Actions in its policy. AWSReservedSSO_BillingReadOnly_tagnumber. 2.Have an IAM Identity Center Group, AWS-acctnum-BillingReaders-Prod, that has 4 SSO users. 3. The above group has been assigned to permission sets below, user is able to see the permission sets on his login page, under the account. 4. Also Have a permission set(BillingReadOnly) that has the AWS managed Billing policy- AWSBillingReadOnlyAccess and also an inline policy that allows access to s3 bucket, (ListBucket, GetObject) The SSO user who is part of group 2, sees this permission set on his login screen. But he does not see any buckets listed on s3.

Note, anything that is AWS managed, cannot be altered, hence the addition of custom inline policy on the permission set.

Any idea what's wrong here? Thanks in advance.

2 Answers
Accepted Answer

Issue got resolved... The inline policy on the permission set, was restricting bucket by specific bucket on resource tag, and somehow this was not working. A specific bucket restriction should be added in condition by the new AWS condition tags.

answered a year ago

What is your S3 bucket policy look like?

profile pictureAWS
answered a year ago
  • S3 bucket has basic access for AWSBillingConductor write, so that Billing can dump its monthly reports. Was advised to allow this access through IAM. On another note, had tried modifying s3 policy for that specific sso role arn, but that had not shown the bucket either. Can we add a permission set to s3 bucket policy, instead(permission sets are new to me).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions