Reputation: 10467
Why some AWS IAM actions require all resources
when creating a IAM policy, if I choose ListAllMyBuckets, the resource become "*", rather than "arn:aws:s3:::*". I do not understand it. How can ListAllMyBuckets requires resources not in s3? Doesn't "Bucket" mean S3 bucket?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Upvotes: 0
Views: 1116
Answers (2)
Reputation: 81454
Since s3:ListAllMyBuckets only applies to S3 and no other AWS resource, "" is shorthand for "arn:aws:s3:::". In this case both statements are exactly the same.
Upvotes: 1
Reputation: 2805
The actions in IAM policies have direct relation with AWS API. For example, the AWS S3 API has a ListAllMyBuckets call that serve to, surprise: List All Buckets of your account. There is no point in give permission to "List All Your Buckets" and at the same time do not allow list some of then.
The same happens with DescribeInstances API for EC2. If you need to create limitation in your policies, you must use Conditions. (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html). But they are not available in all cases.
Upvotes: 1
Related Questions
- AWS IAM policy: Multiple Actions and Multiple Resources
- Conditions for an AWS IAM Role
- Query regarding AWS IAM Service
- Understanding IAM Roles
- IAM policy variables
- How to look up the IAM Actions needed for a given AWS API call?
- AWS IAM requests
- Understanding on concept of IAM role on EC2
- AWS EC2 IAM Conditions
- Minimal IAM policy for ec2:RunInstances