stackoom
  简体   繁体   中英

AWS IAM Group Policy to limit visibility & access to only one signle S3 bucket

 原文  2016-06-28 15:47:51       amazon-web-services/ amazon-s3/ amazon-iam/ amazon-policy

Question

I created a bucket which host some web small web page and a few docs which should only be read accessible by users which have a certain login in IAM. These users should only have (read) access to this specific bucket and no other bucket. Ideally these users shouldn't even know that there are other buckets out there.

For this I create a "test" user in IAM, added the user to a group and assigned a group policy as below: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowS3GetActionsInPrivateFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my.web.page/*"
            ]
        }
    ]
}

  1. When I login with the test user and navigate to S3 I can see all my other buckets and when I click on another bucket I get a "Sorry, no permission" error. This kinda works but ideally the user shouldn't even be able to even list any other buckets.

  2. When I go to https://s3.amazonaws.com/my.web.page/index.html I get a AccessDenied XML message. How can should I modify the policy to be able to open a html page in this bucket with a browser.

  3. The user still has write access to the bucket. How can I only grant read access?

Your help is much appreciated.

1 answers

solution1
 0 ACCPTED  2016-06-28 16:07:47

Use this policy it will work. Where it says example bucket put you bucket name 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::examplebucket/*"
            ]
        },
        {
            "Sid": "AllowS3GetActionsInPrivateFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my.web.page/*"
            ]
        }
    ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket? How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS? S3 IAM policy for one bucket not granting access AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error Grant access to Amazon S3 bucket only to one IAM User Create AWS Access Policy to Only 1 S3 Bucket IAM policy on S3 bucket IAM Role policy for cross account access to S3 bucket in a specific AWS account AWS IAM Policy to allow user access to specific S3 bucket for backup
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM