Reputation: 447
S3 access to only one IAM user
How do I set the S3 read permission to only my IAM User can access? I have my IAM User config in the backend for my hybrid app but I still can't get access to S3 list.
Here is my bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:user/[email protected]"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-s3-bucket/*"
}
]
}
I tried was s3 ls s3://my-s3-bucket on terminal it is showing the list of items in my s3 bucket but not the backend. If I change the Principal to "*" I can access without any problem. (I want to limit to only my app can access it with the IAM User credential I have).
The error I have
{"code":"InternalError","message":"Access Denied"}
Thank you.
Upvotes: 1
Views: 1357
Answers (2)
Reputation: 238747
For s3 ls s3://my-s3-bucket to work you need s3:ListBucket permissions along with bucket resource:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:user/[email protected]"
},
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-s3-bucket/*",
"arn:aws:s3:::my-s3-bucket"]
}
]
}
Upvotes: 0
Reputation: 270104
The aws s3 ls command is used to list the contents of a bucket but your policy is only granting permission to GetObject (which means to read the contents of an object).
If you wish to allow listing of the bucket, you would also need to grant s3:ListBucket permissions.
Bucket Policies vs IAM Policies
Typically, Bucket Policies are used to grant public or cross-account access.
If you wish to grant access to a specific IAM User, then it is better to add a policy on the IAM User themselves:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-s3-bucket/*"
}
]
}
However, you say "only one user". This becomes more difficult if any other users have been granted access to ALL S3 buckets with an Admin-like policy. In this situation, it you would need to add a Deny to the Bucket Policy to prevent access by anyone who has been granted access to all Buckets. This starts to get a little tricky because Deny policies have a habit of denying more than you expect.
If the bucket contains sensitive information, another option is to put the bucket in a different AWS Account and then only grant cross-account access to the specific IAM Users who need access. This prevents people gaining Admin-like access and avoids the need to use a Deny policy.
Upvotes: 1
Related Questions
- Create a single IAM user to access only specific S3 bucket
- I need an Amazon S3 user with full access to a single bucket
- Deny AWS S3 bucket access for 2 users
- Allow IAM user to access single, access denied
- Allow multiple users access to private S3 folder using IAM roles
- Restrict user access to Single S3 Bucket using Amazon IAM?
- Allow IAM user to access single s3 bucket
- How do I restrict an IAM user to just 1 bucket?
- AWS S3 - How to restrict an IAM user to just a single bucket?
- AWS S3 grant access to single IAM user