- Newest
- Most votes
- Most comments
It is not possible to provide access to the S3 Console without granting the ListAllMyBuckets permission.
An acceptable alternative is to redirect users on sign in directly to the bucket you would like them to see.
To accomplish this, append the following to your IAM sign in url: /s3/?bucket=bucket-name
Full Sign-in URL (replace your-alias and bucket-name): https://your-alias.signin.aws.amazon.com/console/s3/?bucket=bucket-name
IAM Policy (replace bucket-name):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
It sounds like you've done as much as you can here. The user needs to have s3:ListAllMyBuckets
and s3:GetBucketLocation
for the Console to show them the buckets in the account, which they have, but beyond that the output cannot be filtered so that some bucket name(s) are suppressed.
You can allow or deny access to specific buckets, which again it sounds like you have already done.
Relevant content
- Accepted Answerasked 10 months ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Giving users a direct link to their bucket is correct: it removes the need to grant access to list the buckets, which cannot be restricted to individual buckets. However, your policy example still includes the s3:ListAllMyBuckets permission, so the user can still list the other buckets. You'll need to remove that permission and give each user the direct link to their bucket for this solution to work.
Also, it's almost certainly not intentional to grant clients full s3:* permissions to the buckets. That would allow them to reconfigure the bucket's permissions, encryption, logging settings, replication, etc. They would typically need
s3:GetBucketLocation
ands3:ListBucket
permissions to the bucket ands3:GetObject
,s3:PutObject
,s3:DeleteObject
, and possiblys3:PutObjectAcl
permissions to the objects in their bucket.