Home > Software engineering >  IAM Policy: Users cannot access S3 bucket
IAM Policy: Users cannot access S3 bucket

Time:12-06

I have created an user and assigned the below inline Policy. On same time I created one bucket in s3.

"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"

When I apply this policy to the particular user and try accessing S3,the specific bucket listed in resources its not showing up? My concern is I have given Action to all s3 and then y didn't my bucket is showing up in S3?

Through visual editor I tried creating policy for same things and the policy look like below

 {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListStorageLensConfigurations",
                "s3:ListAccessPointsForObjectLambda",
                "s3:GetAccessPoint",
                "s3:PutAccountPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints",
                "s3:ListJobs",
                "s3:PutStorageLensConfiguration",
                "s3:ListMultiRegionAccessPoints",
                "s3:CreateJob"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucketname"
        }
    ]
}

Why did separate action is created for listing and its allowed for every resources?

CodePudding user response:

Some actions are performed at the bucket-level (eg Listing a bucket), while some are performed at the object-level (eg downloading objects).

You can grant both permissions simultaneously with:

Here is an example from User policy examples - Amazon Simple Storage Service:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["s3:ListBucket","s3:GetBucketLocation"],
         "Resource":"arn:aws:s3:::bucketname"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::bucketname/*"
      }
   ]
}

You can combine it all into a single policy too:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect": "Allow",
         "Action": "*",
         "Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
      }
   ]
}

However, please note that this "Allow All" policy is also granting permission for the user to delete objects and buckets, so you should be very careful when granting such permission to users.

Page link:https//www.codepudding.com/Softwareengineering/217219.html

Prev:How to properly delete with AWS CDK
Next:Run ECS service task only once
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding