1

I´m trying to write a policy to grant a specific user access to only one bucket

this is what I have so far:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::MYBUCKET",
                "arn:aws:s3:::MYBUCKET/*"
            ]
        }
    ]
}

I don´t want this user to list all other buckets so I changed "Resource": "arn:aws:s3:::*" to "Resource": "arn:aws:s3:::MYBUCKET" but it didn´t work. I don´t need this user to access the console just programmatically is fine. thank you!!

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
handsome
  • 2,335
  • 7
  • 45
  • 73

1 Answers1

3

It is not possible to limit the results of the ListAllMyBuckets command. Either they see the list of all the buckets, or they see none at all.

If they know which bucket they wish to use, then you could simply remove permission to list buckets. They will still be able to list the contents of MYBUCKET and upload/download objects. They just won't be able to request a list of buckets. (And the S3 Management Console won't function because it expects to be able to list all buckets in the account)

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470