I'm tasked with creating an IAM policy in AWS which grants a user access to all s3 objects in all s3 buckets within a specific account.
However, because s3 bucket names are globally unique, and there being no region or account element in an s3 ARN, it would appear that there's no way to grant access to all s3 objects in one specific account. I must grant it either to specific buckets, or all buckets in all accounts. Is that true? There must be a work around.
I want something like:
"Resource": "arn:aws:s3::<accountid>:*"
not:
"Resource": "arn:aws:s3:::*"
Anyone see any solution? I did already read this other related discussion
CodePudding user response:
You can add conditions to S3 resource policies, one of them is s3:ResourceAccount
which should allow you to use the ARN arn:aws:s3:::*
but still restrict access to only buckets in your account.