1

This is how we make, S3 Bucket object listing request.

final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName)

Suppose we have attached the inline policy to the user, who is requesting the resource,

{
         "Sid": "AllowRootAndHomeListingOfBucket",
         "Action": [
             "s3:ListBucket"
         ],
         "Effect": "Allow",
         "Resource": [
             "arn:aws:s3:::XXXX.XXXX",
             "arn:aws:s3:::XXXX.XXXXX/php_serialize.rb"
         ]
     },
     {
         "Sid": "AllowAllS3ActionsInUserFolder",
         "Effect": "Allow",
         "Action": [
             "s3:*"
         ],
         "Resource": [
             "arn:aws:s3:::XXXX.XXXX/php_serialize.rb"
         ]
     }

Effect of this policy is that, it lets the user to list all the root level objects including the resource to which user is given the permission.

do {               
           result = s3client.listObjectsV2(req);

     for (S3ObjectSummary objectSummary : result.getObjectSummaries())      {

           }
           System.out.println("Next Continuation Token : " + result.getNextContinuationToken());
           req.setContinuationToken(result.getNextContinuationToken());
        } while(result.isTruncated() == true );

Result of this is:

text.rb
test/abc
php_serialize.rb
xyx/test.txt

I just want the php_serialize.rb, to get listed. If the requesting user doesn't know about the prefix, to which he is given the permissions.

Following Request, will not work in this case.

 final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName).withPrefix("php_serialize.rb");
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Siddartha Jangid
  • 13
  • 2

1 Answers1

0

It isn't possible to ask S3 for a list of objects a specific user would be able to access.

That would require evaluating all of the user's permissions against (potentially) every single object in the bucket, which would be computationally intensive at best and impossible at worst, depending on the specific policy constraints in effect against that user and properties that could be specific to the request that the user makes.

The service does not support such a query.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427