1

I created the following AWS policy in order to give a user access to my-backup bucket. The user can see all objects in the bucket and edit them, but he cannot go to the overview page.

I thought that by giving the ListBucket action, he would be able to see the bucket indicated. But the overview page shows an empty list as if there were no buckets at all.

What permission/action would I need to add?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-backup"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-backup/*"
            ]
        }
    ]
}
andreas
  • 7,844
  • 9
  • 51
  • 72

1 Answers1

3

There is a difference between listing files in the bucket and listing the buckets. The first one already works.

For the latter you need s3:ListAllMyBuckets on resource *. This will allow them to see every bucket you own. There is no middle ground, either they can see all buckets or no buckets. Obviously even so they can see the other buckets, as long as they have no additional permission they cannot interact with them.

luk2302
  • 55,258
  • 23
  • 97
  • 137
  • I saw that policy, but that's a bummer. Is it not possible to use ListAllMyBuckets with a specific resource arn only? – andreas Mar 20 '23 at 20:08
  • 1
    @andreas yes, that is not possible. That applies to basically anything you can list in AWS, you can list resources or you can't. You can think of this as the permission check happening before the anything is ever listed. The question is only "can you list buckets?" - "yes" - "okay, here are all the buckets", there is no filtering after the retrieved listing. As I said this applies to basically all `List*` operations. – luk2302 Mar 20 '23 at 20:11
  • According to https://stackoverflow.com/questions/6615168/is-there-an-s3-policy-for-limiting-access-to-only-see-access-one-bucket, it's not possible. – andreas Mar 20 '23 at 20:11