-1

Step 1: User1 created the test-bucket & uploaded couple of files

Step 2: below policy is created and attached to the bucket

{
"Version":"2012-10-17",
"Id":"policy example",
"Statement":
 [
  {
"Effect":"Allow",
"Principal":"*",
"Action":["s3:List*","s3:Get*","s3:Put*"],
"Resource":"arn:aws:s3:::*"
   }
 ]
}

Step 3: User1 used the s3cmd ls and able to see the bucket

Step 4: User2 used the s3cmd ls and not able to see the bucket

Step 5: User2 used the s3cmd ls s3://test-bucket and able to see the bucket content

Question: Is there any way we can define the policy/access on the bucket such that User2 is able to see the bucket (as mentioned in Step 4) ??

Thanks a lot in Advance

Chandra Duddukuri
  • 57
  • 1
  • 7
  • What do you mean in step 4 when you say "not able to see the bucket"? Does it give an error (what error)? Or does it list all buckets but `test-bucket` is not included in the list? – John Rotenstein Mar 09 '22 at 07:52
  • **Side-note:** I would recommend that you use the official [AWS Command-Line Interface (CLI)](http://aws.amazon.com/cli/) rather than `s3cmd`. The AWS CLI is updated more often and supports more features. – John Rotenstein Mar 09 '22 at 07:53
  • Do both IAM Users belong to the same AWS Account? – John Rotenstein Mar 09 '22 at 07:54

1 Answers1

2

If both IAM Users are in the same AWS Account

The s3cmd ls command will list all buckets in the AWS Account. It uses the s3:ListAllMyBuckets permission. Permissions to run this command are not granted by a Bucket Policy because it lists all buckets.

If you want to grant permission to use s3cmd ls, then add this permission to the IAM User:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"*"
      }
   ]
}

If the IAM Users are in different AWS Accounts

It is not possible for test-bucket to appear when a user in a different AWS Account lists buckets. This is because the s3cmd ls command lists all buckets in the current user's AWS Account. If the bucket was created in a different account, it will not be listed.

And a warning...

The bucket policy you have shown is highly insecure. It is granting permission for anyone in the world to:

  • List the content of the bucket
  • Upload files to the bucket
  • Download files from the bucket

They could, for example, upload pirated movies and then invite other people to download the files. YOU would be charged for the Data Transfer costs involved.

It is rarely a good idea to grant s3:List* or s3:Put* permissions to * (which means anybody and everybody!).

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thank you for your reply. This is the example json, i shared here with my query and i didn't defined the policy with Wildcard in it. can you share me the sample command (from CLI) to attach the policy to the user ? Adding Policy to Bucket ~/s3cmd-2.1.0> s3cmd setpolicy test_policy.json s3://test-bucket/ Thanks a lot in Advance – Chandra Duddukuri Mar 09 '22 at 12:26
  • 1
    Frankly, it's easiest to use the IAM Management Console, rather than attaching policies via the command-line. However, if you wanted to do it that way, you would use: [put-user-policy — AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-policy.html) – John Rotenstein Mar 09 '22 at 21:41