I have created an user and assigned the below inline Policy. On same time I created one bucket in s3.
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
When I apply this policy to the particular user and try accessing S3,the specific bucket listed in resources its not showing up? My concern is I have given Action to all s3 and then y didn't my bucket is showing up in S3?
Through visual editor I tried creating policy for same things and the policy look like below
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
}
]
}
Why did separate action is created for listing and its allowed for every resources?
CodePudding user response:
Some actions are performed at the bucket-level (eg Listing a bucket), while some are performed at the object-level (eg downloading objects).
You can grant both permissions simultaneously with:
Here is an example from User policy examples - Amazon Simple Storage Service:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::bucketname"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucketname/*"
}
]
}
You can combine it all into a single policy too:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": "*",
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
}
]
}
However, please note that this "Allow All" policy is also granting permission for the user to delete objects and buckets, so you should be very careful when granting such permission to users.