Amazon s3 user policies

Question

I'm trying to define a policy for a specific user. I have several buckets in my S3 but I want to give the user access to some of them. I created the following policy:

{
  "Version":"2012-10-17",
  "Statement":[
  {
  "Sid":"AddPerm",
  "Effect":"Allow",
  "Principal": "*",
  "Action":["s3:GetObject",
            "s3:ListBucket",
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation",
            "s3:PutObject"],
  "Resource":["arn:aws:s3:::examplebucket"]
}

when I try to add a list of resources like this:

"Resource":["arn:aws:s3:::examplebucket1","arn:aws:s3:::examplebucket2"]

I get access denied

The only option that works for me (I get buckets lists) is:

"Resource": ["arn:aws:s3:::*"]

whats the problem?

Answer 1

Some Amazon S3 API calls operate at the Bucket-level, while some operate at the Object-level. Therefore, you will need a policy like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::test/*"]
    }
  ]
}

See: AWS Security Blog - Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

Answer 2

I found that its an AWS limitation. There is no option get filtered list of buckets. Once you give permissions to ListAllMyBuckets like this:

{
  "Sid": "AllowUserToSeeBucketListInTheConsole",
  "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::*"]

}

you get the list of all bucket (including buckets that you don't have permissions to it).

More info could be found here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

Few workarounds could be found here: Is there an S3 policy for limiting access to only see/access one bucket?