Step 1: User1 created the test-bucket & uploaded couple of files
Step 2: below policy is created and attached to the bucket
{
"Version":"2012-10-17",
"Id":"policy example",
"Statement":
[
{
"Effect":"Allow",
"Principal":"*",
"Action":["s3:List*","s3:Get*","s3:Put*"],
"Resource":"arn:aws:s3:::*"
}
]
}
Step 3: User1 used the s3cmd ls and able to see the bucket
Step 4: User2 used the s3cmd ls and not able to see the bucket
Step 5: User2 used the s3cmd ls s3://test-bucket and able to see the bucket content
Question: Is there any way we can define the policy/access on the bucket such that User2 is able to see the bucket (as mentioned in Step 4) ??
Thanks a lot in Advance
If both IAM Users are in the same AWS Account
The s3cmd ls command will list all buckets in the AWS Account. It uses the s3:ListAllMyBuckets permission. Permissions to run this command are not granted by a Bucket Policy because it lists all buckets.
If you want to grant permission to use s3cmd ls, then add this permission to the IAM User:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
}
]
}
If the IAM Users are in different AWS Accounts
It is not possible for test-bucket to appear when a user in a different AWS Account lists buckets. This is because the s3cmd ls command lists all buckets in the current user's AWS Account. If the bucket was created in a different account, it will not be listed.
And a warning...
The bucket policy you have shown is highly insecure. It is granting permission for anyone in the world to:
They could, for example, upload pirated movies and then invite other people to download the files. YOU would be charged for the Data Transfer costs involved.
It is rarely a good idea to grant s3:List* or s3:Put* permissions to * (which means anybody and everybody!).