Create IAM User that can view a single S3 bucket

0

Good morning I don't know if someone can help me with what I need... In my AWS console I manage several S3 clients in the same area. A client is asking me for access to his Bucket but after creating the user and assigning a policy, it shows me all the buckets I have in the console.

I have already managed to block access to the buckets that he doesn't have permission to, but it keeps showing me the S3 (which I have with the names of my other clients).

Is there any way to hide the S3 that the user doesn't have access to?

2 Answers
2

It is not possible to provide access to the S3 Console without granting the ListAllMyBuckets permission.

An acceptable alternative is to redirect users on sign in directly to the bucket you would like them to see.

To accomplish this, append the following to your IAM sign in url: /s3/?bucket=bucket-name

Full Sign-in URL (replace your-alias and bucket-name): https://your-alias.signin.aws.amazon.com/console/s3/?bucket=bucket-name

IAM Policy (replace bucket-name):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Giving users a direct link to their bucket is correct: it removes the need to grant access to list the buckets, which cannot be restricted to individual buckets. However, your policy example still includes the s3:ListAllMyBuckets permission, so the user can still list the other buckets. You'll need to remove that permission and give each user the direct link to their bucket for this solution to work.

  • Also, it's almost certainly not intentional to grant clients full s3:* permissions to the buckets. That would allow them to reconfigure the bucket's permissions, encryption, logging settings, replication, etc. They would typically need s3:GetBucketLocation and s3:ListBucket permissions to the bucket and s3:GetObject, s3:PutObject, s3:DeleteObject, and possibly s3:PutObjectAcl permissions to the objects in their bucket.

0

It sounds like you've done as much as you can here. The user needs to have s3:ListAllMyBuckets and s3:GetBucketLocation for the Console to show them the buckets in the account, which they have, but beyond that the output cannot be filtered so that some bucket name(s) are suppressed.

You can allow or deny access to specific buckets, which again it sounds like you have already done.

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions