Creating IAM policy to list and access single bucket

Question

I have created the following IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::bucketname",
        "arn:aws:s3:::bucketname/*"
      ]
    }
  ]
}

This works in that the only bucket they can access is the correct one, but what I want to do is set it so that the only bucket that shows when going to the bucket list is the one they have access to.

I tried changing the ARN in the listallmybuckets action to the ARN of the bucket itself, but this just gives a "no access" error when going to the bucket list

How do I change this to only list the bucket they have access to in the bucket list?

Answer 1

S3 buckets are owned by a specific canonical user ID that is tied to an AWS account. When a principal is given s3:ListAllMyBuckets in an IAM policy, they have access to enumerate all buckets owned by the canonical user ID that provides their credential's arn (the account number that is the fifth segment in the arn of the user or role bearing the permission).

This means that for a given account, all principals either have ListAllMyBuckets for all buckets in the account or none at all.

With AWS Organizations, it's relatively easy to create a dedicated account and then provide credentials (or cross account access) to a bucket (or set of buckets) that are isolated from all others; this may simulate the limited listing behavior the OP is asking for.