amazon-web-servicesamazon-s3amazon-iamaws-policies

AWS IAM rule to allow user to list and edit one S3 bucket


I created the following AWS policy in order to give a user access to my-backup bucket. The user can see all objects in the bucket and edit them, but he cannot go to the overview page.

I thought that by giving the ListBucket action, he would be able to see the bucket indicated. But the overview page shows an empty list as if there were no buckets at all.

What permission/action would I need to add?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-backup"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-backup/*"
            ]
        }
    ]
}

Solution

  • There is a difference between listing files in the bucket and listing the buckets. The first one already works.

    For the latter you need s3:ListAllMyBuckets on resource *. This will allow them to see every bucket you own. There is no middle ground, either they can see all buckets or no buckets. Obviously even so they can see the other buckets, as long as they have no additional permission they cannot interact with them.