Reputation: 1728
How do you create an ARN that specifies all S3 buckets in a specific account?
I'm tasked with creating an IAM policy in AWS which grants a user access to all s3 objects in all s3 buckets within a specific account.
However, because s3 bucket names are globally unique, and there being no region or account element in an s3 ARN, it would appear that there's no way to grant access to all s3 objects in one specific account. I must grant it either to specific buckets, or all buckets in all accounts. Is that true? There must be a work around.
I want something like:
"Resource": "arn:aws:s3::<accountid>:*"
not:
"Resource": "arn:aws:s3:::*"
Anyone see any solution? I did already read this other related discussion
Upvotes: 3
Views: 6998
Answers (1)
Reputation: 3624
You can add conditions to S3 resource policies, one of them is s3:ResourceAccount which should allow you to use the ARN arn:aws:s3:::* but still restrict access to only buckets in your account.
Upvotes: 5
Related Questions
- Create a single IAM user to access only specific S3 bucket
- Why does S3 bucket ARN not contain AWS account number?
- How to sync multiple S3 buckets using multiple AWS accounts?
- Restrict user access to Single S3 Bucket using Amazon IAM?
- Creating IAM policy to list and access single bucket
- Allow IAM user to access single s3 bucket
- AWS S3: Setting a bucket policy for multiple users in an account
- How to set up S3 Policies for multiple IAM users such that each individual only has access to their personal bucket folder?
- How do I restrict an IAM user to just 1 bucket?
- AWS S3 - How to restrict an IAM user to just a single bucket?