Is there an S3 policy for limiting access to only see/access one bucket?

amazon-s3 policy bucket
Alex picture Alex · Jul 7, 2011 · Viewed 94.8k times · Source

I have a simple bucket that looks like images.mysite.com on my S3 and other buckets containing backups, etc.

I want to allow a specific user to be able to access the images.mysite.com bucket in order to upload images. However, I DO NOT want him to see any of the other buckets; not even that they exist.

I could not make a policy that does this; every time I try something restrictive, it ends up blocking the listing of any buckets.

Answer

rogercampos picture rogercampos · Aug 5, 2011

I've been trying this for a while and finally came up with a working solution. You must use different "Resources" depending on the kind of action you're performing. Also I included some missing actions in the previous answer (like DeleteObject) and restricting some more (like PutBucketAcl).

The following IAM policy is working for me now:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::itnighq",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl"
      ],
      "Resource": "arn:aws:s3:::itnighq/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*",
      "Condition": {}
    }
  ]
}

The actions regarding a bucket and those regarding objects must have different arn.

Related questions

Access Denied upload to s3

I tried uploading to s3 and when I see the logs from the s3 bucket logs this is what it says: mybucket-me [17/Oct/2013:08:18:57 +0000] 120.28.112.39 arn:aws:sts::778671367984:federated-user/[email protected] BB3AA9C408C0D26F REST.POST.BUCKET avatars/…

Read More
s3 Policy has invalid action - s3:ListAllMyBuckets

I'm trying these policy through console.aws.amazon.com on my buckets: { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::itnighq", "Condition": {} }, { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:…

Read More
How can I make a S3 bucket public (the amazon example policy doesn't work)?

Amazon provides an example for Granting Permission to an Anonymous User as follows (see Example Cases for Amazon S3 Bucket Policies): { "Version": "2008-10-17", "Statement": [ { "Sid": "AddPerm", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*" } ] } Within …

Read More