Is there an S3 policy for limiting access to only see/access one bucket?

Question

I have a simple bucket that looks like images.mysite.com on my S3 and other buckets containing backups, etc.

I want to allow a specific user to be able to access the images.mysite.com bucket in order to upload images. However, I DO NOT want him to see any of the other buckets; not even that they exist.

I could not make a policy that does this; every time I try something restrictive, it ends up blocking the listing of any buckets.

I'm voting to close this question as off-topic because it should be on Superusers — Tonny Madsen, May 24 '16 at 18:32
A policy could be generated here at : http://awspolicygen.s3.amazonaws.com/policygen.html — Suhail Gupta, Aug 19 '16 at 07:44
Related: [Restrict List of Buckets for a Specific User](https://stackoverflow.com/q/17736048/55075). — kenorb, Sep 29 '17 at 13:39
Why not just share the URL of the bucket -- `https://s3.console.aws.amazon.com/s3/buckets/my-bucket-name/`. This way you keep them from seeing the whole list and don't change anything on your current policy. — treecoder, Apr 23 '20 at 04:31
@TonnyMadsen this question perfectly fits to this forum IMHO — Arefe, Feb 28 '22 at 06:02

score 119 · Answer 1 · edited Nov 01 '17 at 08:38

119

I've been trying this for a while and finally came up with a working solution. You must use different "Resources" depending on the kind of action you're performing. Also I included some missing actions in the previous answer (like DeleteObject) and restricting some more (like PutBucketAcl).

The following IAM policy is working for me now:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::itnighq",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl"
      ],
      "Resource": "arn:aws:s3:::itnighq/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*",
      "Condition": {}
    }
  ]
}

The actions regarding a bucket and those regarding objects must have different arn.

edited Nov 01 '17 at 08:38

Martin Prikryl

188,800
56
490
992

answered Aug 05 '11 at 11:56

rogercampos

1,676
1
10
8

9

This is a great answer, thank you. It might be worth noting that the implication of the s3:ListAllMyBuckets permission is that the recipient of this policy can see all of your (root's) buckets. There is no data disclosure directly, but there might be sensitivity/confusion around bucket names. It is feasible to remove this particular permission and things should still work (although "s3cmd ls" etc will not return the target bucket). – Mike Repass Sep 06 '12 at 21:38
122

This does not prevent the user to see other bucket names ! – metdos Nov 14 '12 at 12:37
I wanted go get a policy that only allows uploading (in my case via the S3-PHP-API) so `PutObject` and `PutObjectAcl` was enough for me. I also wanted to allow the upload permission only to a specific bucket and folder so I set resource to `arn:aws:s3:::BUCKET/FOLDER/*`. Working perfect for me. – fnkr Jun 01 '13 at 09:28
1

+1 I simplified the action in the second statement (which allows access to the bucket content) to "Action": "s3:*". The s3:ListAllMyBuckets section may not be required in all circumstances - jgit, for example, doesn't need it. – MZB Sep 02 '13 at 23:18
2

@metdos you can prevent users to see other bucket names by removing the last policy. – O.O Apr 23 '14 at 10:27
2

@HendraUzia No it doesn't. Removing that policy causes the console to list no buckets at all. – Joshua Kolden May 19 '14 at 15:43
23

In order to see the list of buckets in the console (and therefore use the console for bucket access) you _must_ grant `ListAllMyBuckets` and `GetBucketLocation` for _all_ S3 buckets (`"arn:aws:s3:::*"` will work rather than `"*"` for the resource). As stated in [this AWS blog post](http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke) "as an aside, you currently can't selectively filter out certain buckets, so users must have permission to list all buckets for console access." – jwadsack Jun 25 '14 at 20:46
Note: change "itnighq" to your bucket name. I didn't catch that at first look. Otherwise works well for me. – djburdick Mar 05 '15 at 19:55
Worked great for me, remember to add the "Version" string in the root JSON object, else it wont validate: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html – peter n Apr 11 '15 at 21:00
Both s3:ListAllMyBuckets and s3:GetBucketLocation are required on resource arn:aws:s3:::* in order for end users to use the client program ExpanDrive (which has a nice interface that treats S3 as a drive on PC or Mac). Some other client programs, such as CyberDuck, seem to be fine with only s3:ListAllMyBuckets on arn:aws:s3:::*. – bradw2k Apr 22 '15 at 22:53
14

This is horrible advice. It's dangerous and specifically what the OP didn't want. See the answers by [Andreas Stankewitz](https://stackoverflow.com/a/18089783) and [BFar](https://stackoverflow.com/a/30961920) for feasible workarounds. – AndreKR Jun 24 '17 at 09:03
1

I can still see the list of all buckets. Not working :( – Rishikesh Chandra Jan 22 '20 at 06:55
This answer does not fill the questioner's need. Don't understand why it has so many upvotes. – Jrm_FRL Jan 18 '22 at 09:22

score 49 · Answer 2 · edited Feb 16 '23 at 07:39

49

It is not possible to provide access to the S3 Console without granting the ListAllMyBuckets permission.

In my case (and perhaps yours as well, future reader) an acceptable alternative is to redirect users on sign in directly to the bucket you would like them to see.

To accomplish this, append the following to your IAM sign in url: /s3/?bucket=bucket-name

Full Sign-in URL (replace your-alias and bucket-name):

https://your-alias.signin.aws.amazon.com/console/s3/?bucket=bucket-name

IAM Policy (replace bucket-name):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

For more information on how to create bucket specific permissions for users, read this blog: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/

edited Feb 16 '23 at 07:39

filpa

3,651
8
52
91

answered Jun 21 '15 at 06:31

BFar

2,447
22
23

1

This works well. Would be optimal if users couldn't explore outside the bucket view.... But I'll take it. Thanks @BFar. – Jamie Popkin Feb 10 '17 at 22:35
This is the ONE CORRECT answer, all the others will list every bucket - that should be hidden as per the original request. – Steve Horvath Apr 08 '19 at 05:24
Exactly what I need. Thanks. – dzhg Apr 11 '19 at 21:23
This policy contains the following error: A managed policy must have a version string For more information about the IAM policy grammar, see AWS IAM Policies – Yevgeniy Afanasyev Aug 23 '21 at 06:35
The version string (usually added at the very top of the JSON on the root level) should be `"Version": "2012-10-17",`. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html – filpa Feb 16 '23 at 07:37

score 42 · Answer 3 · answered Aug 06 '13 at 20:25

Our use case: Provide backup space for clients of our cloud application that can be accessed by the clients directly using common S3 tools. Of course, no client should see what other clients have.

As cloudberryman explained, "You can either list all buckets or none.", so we have to come up with a work around. Background:

Granting ListAllMyBuckets rights to the user is needed so that AWS S3 console or S3Fox connect without an error message. But ListAllMyBuckets lists all buckets, regardles of the resources assigned (actually, only arn:...:::* works). That's a serious bug, if you ask me. Btw. denying ListBucket for all buckets does not prevent them from being listed, as ListBucket grants rights to list the bucket's content.

There are 3 possiblities I considered as work around. I chose the last one.

(1) use cryptic bucket names, e.g. GUIDs

Advantage: easy to set up

Disadvantage: difficult to manage, especially for the client. (imagine to find a specific GUID amoung thousands of others.) Also shows of the number of buckets = number of clients using the backup service.

(2) use one bucket with client specific folders

This is how Amazon suggests by their S3/IAM examples to provide space to access only by certain users or user groups. See: AWS Example IAM Policies

Advantage: fairly easy to set up, goes with AWS ideas

Disadvantage: forces to make the existance of all buckets public, so the client can find their "home" bucket. AWS accounting provides statistics of bucket usage, but not of folder usage, which makes it difficult to calculate cost by client.

(3) don't grant access right for ListAllMyBuckets

Advantage: you get what you want: clients can't see other client's buckets

Disadvantage: the client can't see his or her own bucket. S3Browser comes with a nice "cannot do" message and asks for the bucket name to enter. S3Fox throws an error message when connecting to the root, but allows direct navigation to the client's bucket if the bucket name is known. Amazon S3 console does not work at all.

Hope this helped to handle S3 IAM as you need it.

Also, for Solution (1) if you want to use web hosting with a bucket then the bucket name must match the domain name. — Andy Fusniak, May 25 '17 at 10:37

score 22 · Answer 4 · edited Dec 02 '15 at 06:41

22

Try this policy. also take into account that there no way to let the user list only selected bucket. You can either list all buckets or none.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:PutBucketAcl",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::your_bucket_here/*",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*",
            "Condition": {}
        }
    ]
}

edited Dec 02 '15 at 06:41

sanmai

29,083
12
64
76

answered Jul 08 '11 at 19:43

cloudberryman

4,598
2
27
14

2

It works great! I had to do change action to be `s3:*` to get it to work for me. I also had `"Resource": ["arn:aws:s3:::your_bucket_here", "arn:aws:s3:::your_bucket_here/*"]`, but this might not be needed. – Michael Yagudaev Mar 05 '13 at 19:50
3

s3:* grants access to do anything, including delete a bucket. Sure you want that? – Dave Gregory Oct 20 '17 at 11:33

score 12 · Answer 5 · answered Jun 13 '16 at 14:58

I am interpreting this question as: "Can I allow access to one bucket where any other buckets will not be accessible and thus invisible." Because, showing the name of the bucket to which no access was granted still equates to information leakage.

And the correct answer is no. The required permission is ListAllMyBuckets which will allow the user to see ALL buckets. Leaving out this permission will make the console unusable.

joevartuli · Answer 6 · 2013-05-06T07:27:26.667

There is a great way to allow users to access a specific bucket without comprising knowledge of other buckets. A group policy that is like the one below will allow users to only see "bucket a". The only catch is that the user will only ever be able to access the bucket if they connect to the given bucket endpoint. For the example below that would be bucket-a.s3.amazonaws.com. The bucket may also have to have "Authenticated Users" allowed for this to occur.

{
    "Statement": [
     {
         "Sid": "<EXAMPLE_SID>",
         "Action": [
           "s3:ListBucket",
           "s3:GetBucketLocation"
          ],
         "Effect": "Allow",
         "Resource": [
           "arn:aws:s3:::bucket-a"
         ]
     },
     {
      "Sid": "<EXAMPLE_SID>",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket-a/*"
      ]
     }
   ]
}

This method was tested with Cyberduck on Mac OS/X and using the s3cmd package

./s3cmd ls s3://bucket-a --access_key=ACCESS_KEY --secret_key=SECRET_KEY --bucket-locat
ion=ap-southeast-2

I can still see the list of all buckets. Not working :( – Rishikesh Chandra Jan 22 '20 at 06:55 — Rishikesh Chandra, Jan 22 '20 at 06:55

score 5 · Answer 7 · edited May 23 '17 at 12:18

Confused about why no answer was checked?

Let's break down each policy statement from above solutions:

This policy statement from applies to the contents of the bucket, but not the buck itself. This is probably not what the question asked for, because you can't see what's in the bucket.

{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:PutBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::your_bucket_here/*",
"Condition": {}
}

This two statement policy derived from gives readonly access to the bucket at (arn:aws:s3:::your_bucket_here/) readonly, but still allows CRUD ops on the bucket's contents (arn:aws:s3:::your_bucket_here/*).

{
  "Effect": "Allow",
  "Action": [
    "s3:ListBucket",
    "s3:GetBucketLocation",
    "s3:ListBucketMultipartUploads"
  ],
  "Resource": "arn:aws:s3:::your_bucket_here",
  "Condition": {}
},
{
  "Effect": "Allow",
  "Action": [
    "s3:AbortMultipartUpload",
    "s3:DeleteObject",
    "s3:DeleteObjectVersion",
    "s3:GetObject",
    "s3:GetObjectAcl",
    "s3:GetObjectVersion",
    "s3:GetObjectVersionAcl",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:PutObjectAclVersion"
  ],
  "Resource": "arn:aws:s3:::your_bucket_here/*",
  "Condition": {}
}

However, the policy includes the statement below, which allows a user see all the buckets at the endpoint. This is probably not what the question asked for.

{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}

However, the above very useful if you use a client that browsers an S3 store. If your client accesses the store and not the bucket directly, so you need access to the list of buckets at the root.

jjanczyszyn · Answer 8 · 2015-11-16T11:49:40.873

3

Probably the simplest use case:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::bucket-name"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::bucket-name/*"]
    }
  ]
}

edited Nov 16 '15 at 11:49

answered May 18 '15 at 17:30

jjanczyszyn

458
4
8

1

AWS responding: `This policy contains the following error: The policy must contain a valid version string` – MaximeBernard Nov 16 '15 at 10:03
that's right - I corrected my response ->
there are only two possible values here:
*2012-10-17* and *2008-10-17*.
Further reference can be found here:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Version – jjanczyszyn Nov 16 '15 at 11:50
Any idea about the `(listing included)` meaning how to list only the bucket the user is allowed to get in? So far (and according to all other answers), it seems like AWS won't let you do that. – MaximeBernard Nov 16 '15 at 14:01

score 3 · Answer 9 · edited Jul 23 '19 at 11:36

I found this solution:
AWS FLOW:

Bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*", #Role ID
            "111111111111" #AccountID
          ]
        }
      }
    }
  ]
}

IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",  #Role ID
            "AIDAEXAMPLEID",  #UserID
            "111111111111"  #AccountID
          ]
        }
      }
    }
  ]
}

aws iam get-user -–user-name USER-NAME --profile=ExampleProfile

aws iam get-role --role-name ROLE-NAME --profile=ExampleProfile

Source: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

P.S. be careful with bucket policy, you can stay out without permissions

Shaik Ismail · Answer 10 · 2017-03-30T14:07:10.847

There is easy way or workaround to do this using AWS Organizations. AWS organization allows you to have multiple user accounts. Your main account will can have multiple AWS accounts(Sub) and what ever services(s3/EC2/*) are added in whichever AWS accounts only those resources will be visible.

Please refer https://aws.amazon.com/blogs/aws/aws-organizations-policy-based-management-for-multiple-aws-accounts/ https://aws.amazon.com/organizations/

Organization On My account page

score 2 · Answer 11 · answered Jun 15 '18 at 12:43

2

As it has been well discussed above, listing only one bucket on console is not possible. But if S3 bucket's access is attached to an IAM, IAM can directly access the bucket if URL to bucket is available. S3 bucket url will be like:

https://s3.console.aws.amazon.com/s3/buckets/BucketName

Where BucketName is name of bucket IAM has access to

answered Jun 15 '18 at 12:43

Ishan Tomar

1,488
1
16
20

2

I think this is the only feasible solution in 2018 also. – Saurabh Jul 09 '18 at 10:39

score 2 · Answer 12 · answered Oct 21 '19 at 10:51

Similar to what others described above:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket/*"
      }
   ]
}

Here is however the missing piece. While it is not possible to access the bucket through S3->Home, it is possible to access only the desired bucket through a direct link.

https://s3.console.aws.amazon.com/s3/buckets/yourawsbucket/

You can find more information in the following post:

https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/

score 1 · Answer 13 · answered Sep 11 '15 at 11:18

I managed to get the following working. Meant that listing other buckets recieved Access Denied message. But was still able to see the bucket that I wanted if I connected with the bucket name set as path.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::test"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::test/*"]
    }
  ]
}

I was using Cyberduck to test this connection.

kenorb · Answer 14 · 2017-10-03T11:44:11.197

While it's not possible to restrict s3:ListAllMyBuckets action to specific buckets, as for workaround you can send them Console URL for specific bucket, e.g.

https://s3.console.aws.amazon.com/s3/buckets/BUCKET_NAME/

^{Source: Restricting list of S3 buckets from the S3 Console}

In order to do that, you'll need to specify the following policy document for given user or group:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-1",
                "arn:aws:s3:::my-bucket-2"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-1/*",
                "arn:aws:s3:::my-bucket-2/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

^{Where my-bucket-1 and my-bucket-2 are your buckets to give the read and write access.}

score 1 · Answer 15 · answered Jan 04 '19 at 10:21

Try this policy. User cannot list any bucket, they have to use direct link to allowed bucket.

For example: s3.console.aws.amazon.com/s3/buckets/bucketname/?region=us-east-1&tab=overview

{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucketname"
      ]
    },
    {
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucketname*"
      ]
    },

  ],
  "Version": "2012-10-17"
}

score 0 · Answer 16 · answered Jun 11 '15 at 15:17

The solution bellow worked for me. I wanted a policy to grant access to a specific user my_iam_user on a specific bucket my-s3-bucket.

This policy allow my user to list, delete, get e put files on a specific s3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/my_iam_user"
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::my-s3-bucket"
        },
        {
            "Sid": "AddDeleteFiles",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/my_iam_user"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my-s3-bucket/*"
        }
    ]
}

score 0 · Answer 17 · answered Aug 20 '15 at 11:46

I just add a similar need, solved by this :

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:Get*",
            "s3:Put*",
            "s3:DeleteObject",
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::my-bucket-name",
            "arn:aws:s3:::my-bucket-name/*"
        ]
    }
  ]
}

score 0 · Answer 18 · edited May 24 '16 at 19:11

I use the following stuff to hide bucket's contents from other users. This not only helps to hide other buckets (don't use ListAllMyBuckets), but also folders in the same bucket, when you make one bucket, but want to have subfolders in it assigning proper permissions to IAM User/subfolder.

The following policy is applied to IAM Group and all users are in this Group. You need to take aws:userid and make a subfolder with the same name in the bucket.

UserID can be taken: aws iam get-user --user-name "user_name_for_folder_access":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name/${aws:userid}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name"
            ]
        }
    ]
}

score 0 · Answer 19 · answered Oct 18 '17 at 06:58

A nice simple solution we came up with is to block the user to login to the root directory. So they must login with remote path set to desired folder.

 {
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::folder-name*",
        "Condition": {}
    }
]
}

score 0 · Answer 20 · edited Sep 24 '18 at 02:31

0

No, it's not currently possible to limit users to view selective buckets under root or anywhere else. You have only those 3 options right now.

I chose to ask the client to use the bucket name explicitly.

edited Sep 24 '18 at 02:31

user4157124

2,809
13
27
42

answered Sep 23 '18 at 15:18

foggy_glasses

9
2

score -1 · Answer 21 · answered Sep 05 '14 at 11:41

-1

This is detailed by Amazon on http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket

answered Sep 05 '14 at 11:41

Sytse Sijbrandij

1,885
2
22
20

score -1 · Answer 22 · answered May 05 '17 at 07:56

This worked perfect for me . User can upload, Download and get list of files but will not able to see files from other bucket.

 {    

"Statement": [    

{
    "Effect": "Allow",
    "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:GetObjectAcl",
        "s3:PutObjectAcl",
        "s3:ListBucket",
        "s3:GetBucketAcl",
        "s3:PutBucketAcl",
        "s3:GetBucketLocation"
    ],
    "Resource": "arn:aws:s3:::mybucketname/*",
    "Condition": {}
},
{
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "*",
    "Condition": {}
},
{
    "Effect": "Deny",
    "Action": [
        "s3:DeleteBucket",
        "s3:DeleteBucketPolicy",
        "s3:DeleteBucketWebsite",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
    ],
    "Resource": "arn:aws:s3:::mybucketname/*",    

    "Condition": {}    

}
]
}

score -2 · Answer 23 · answered Dec 22 '16 at 05:46

-2

Add a Deny clause for the bucket(s) you do not want to access. Remember that they might still be listed, but you won't be able to access the contents inside them.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

answered Dec 22 '16 at 05:46

treecoder

43,129
22
67
91

1

You should explicitly grant access to resources. When you default grant access to all resources, you can accidentally omit resources you want to keep private. Also granting access to all S3 actions means user can make resources public or setup static hosting or do other harmful things. – Ondrej Galbavý Oct 10 '17 at 10:36

Is there an S3 policy for limiting access to only see/access one bucket?

23 Answers23

Linked

Related