I have 3 buckets A, B, and C in my account. I create a policy that restricting an IAM user access a specific bucket. Here is the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::A"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::A/*"
}
]
}
After applied this policy to an IAM user, I tried to use aws s3 ls command with the credentials.
# list buckets
➜ aws s3 ls
2020-06-20 03:54:56 A
2020-06-20 03:54:56 B
2020-06-20 03:54:56 C
➜ aws s3 ls s3://A
PER sub-foler/
➜ aws s3 ls s3://B
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
It looks like it successfully restricted the user access in buckets other than A. But the user can still see existence of other buckets such as B and C.
Is it possible to restricted the user lists only the bucket (i.e. A) which is authorized to it?
UPDATE 2024: Amazon S3 adds new Region and bucket name filtering for the ListBuckets API - AWS
The s3:ListAllMyBuckets permission grants the ability to list buckets in the AWS Account.
All buckets will be returned. It is not possible to limit which buckets are returned.
If you do not want the user to see the list of other buckets, then do not give them the ability to list the bucket names.