Clever Geek Handbook

IAM policy to list specific folders inside S3 bucket for user

I have under the keys under the bucket demo.for.customers

demo.for.customers/customer1/
demo.for.customers/customer2/

Now I have 2 clients, namely client1 and client2 . This is what I want:

  • Give them access to the demo.for.customers stuff only .
  • Client 1 should only have access demo.for.customers/customer1/

    and Client2 should only have access demo.for.customers/customer2/

    .

And I can achieve this with the below policy (I create a policy for each client, so I only paste it for client1 below). I have defined this policy in IAM, not S3.

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
   {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::demo.for.customers"],
      "Condition":{"StringEquals":{"s3:prefix":["","customer1/"],"s3:delimiter":["/"]}}
   },
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::demo.for.customers/customer1/*"]
    }
]
}

Problem:

  • Client1 can see my entire bucket, although he cannot access any of them. I do not want it. He should only be able to see demo.for.customers
  • Client1 can see demo.for.customers/customer2

    , although it cannot access it. This is very unacceptable as I don't want him to even see what other client folders I have under this bucket.

QUESTIONS:

  • After doing a lot of searches, I found out that there is no way to list specific buckets . Is it really so?
  • However, I need to find a way to list only specific folders inside the bucket for a given user. How to do it?

Thank.

+2


source to share


1 answer


Regarding your problems:

  • Unfortunately, there is no way to list only specific buckets. If the goal is only to allow access to one known bucket, then I would completely remove the first statement as it doesn't add any value (the bucket is already known and won't need to be enumerated).
  • Can you show the code you are using to list the contents of the bucket? Based on what you showed here, I would expect client1 to be able to display the contents of the bucket at the root of their prefix and nowhere else.


Regarding your questions:

  • Yes, there is no way to list some buckets. Codelist APIs are all or nothing.
  • This is done with a prefix. What language do you use? We have a sample for the AWS Mobile SDK that uses a Token Vending Machine to deliver per-user access to an S3 bucket .
+1


source






More articles:


All Articles