Step 1: User1 created the test-bucket & uploaded couple of files
Step 2: below policy is created and attached to the bucket
{
"Version":"2012-10-17",
"Id":"policy example",
"Statement":
[
{
"Effect":"Allow",
"Principal":"*",
"Action":["s3:List*","s3:Get*","s3:Put*"],
"Resource":"arn:aws:s3:::*"
}
]
}
Step 3: User1 used the s3cmd ls and able to see the bucket
Step 4: User2 used the s3cmd ls and not able to see the bucket
Step 5: User2 used the s3cmd ls s3://test-bucket and able to see the bucket content
Question: Is there any way we can define the policy/access on the bucket such that User2 is able to see the bucket (as mentioned in Step 4) ??
Thanks a lot in Advance
CodePudding user response:
If both IAM Users are in the same AWS Account
The s3cmd ls command will list all buckets in the AWS Account. It uses the s3:ListAllMyBuckets permission. Permissions to run this command are not granted by a Bucket Policy because it lists all buckets.
If you want to grant permission to use s3cmd ls, then add this permission to the IAM User:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
}
]
}
If the IAM Users are in different AWS Accounts
It is not possible for test-bucket to appear when a user in a different AWS Account lists buckets. This is because the s3cmd ls command lists all buckets in the current user's AWS Account. If the bucket was created in a different account, it will not be listed.
And a warning...
The bucket policy you have shown is highly insecure. It is granting permission for anyone in the world to:
- List the content of the bucket
- Upload files to the bucket
- Download files from the bucket
They could, for example, upload pirated movies and then invite other people to download the files. YOU would be charged for the Data Transfer costs involved.
It is rarely a good idea to grant s3:List* or s3:Put* permissions to * (which means anybody and everybody!).