IAM policy to allow access to a specific version of an object in S3 object?-CodePudding

I have three versions of an object in a bucket. I am trying to create an IAM role such that the user can only access one specific version of that object. This is my policy so far :-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions"
            ],
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObjectVersion",
            "Resource": "arn:aws:s3:::my-bucket/photo.jpg"
        },
        {
            "Effect": "Deny",
            "Action": "s3:GetObjectVersion",
            "Resource": "arn:aws:s3:::my-bucket/photo.jpg",
            "Condition": {
                "StringNotEquals": {
                    "s3:VersionId": "X9R5gJiVUszzxtlsBdMi_cfvftr43"
                }
            }
        }
    ]
}

But when i run aws s3api list-object-versions --bucket my-bucket --prefix photo.jpg in the cli, i'm still getting the output with all three versions of the file when i should just get one which is specified in the policy. What am i doing wrong? Any help will be appreciated.

CodePudding user response：

What am i doing wrong?

Nothing. That's how it should work. list-object-versions list all object versions, exactly as it is supposed to do. You can't limit it to only list selected versions and "hide" other versions.

If you do not like that behavior, do not allow ListBucketVersions.