AWS IAM S3 Policy

Question

I currently have AWS Policy that grants a user account access to create new users with limited access to IAM and S3

How can I reduce the permission of this user further so the user is unable to list all the S3 buckets on my account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:PutUserPolicy",
                "iam:GetUser",
                "iam:CreateUser",
                "iam:CreateAccessKey"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": "*"
        }
    ]
}

Well, clearly this policy allows all S3 actions on all resources. What problem are you having reducing this level of access? — jarmod, Feb 08 '20 at 19:38
I need to grant this user the ability to only create new bucket but restrict the ability to list all the buckets on my account — zaddyn00b, Feb 08 '20 at 19:41
You can modify the policy to only allow s3:CreateBucket but that doesn't seem all that useful. How will they access the bucket after they create it, for example? Have you thought through what these users will actually need? — jarmod, Feb 08 '20 at 19:44
This seems like a duplicate of a common question/desire. How do I let people list buckets but only see the ones they are allowed to see? The answer is that you can't. See [this answer](https://stackoverflow.com/a/18089783/2860032) to a similar question on the workarounds. — Jason Wadsworth, Feb 08 '20 at 20:35
If what you're looking for here is per-user S3 storage, then a common solution has an admin creating a shared S3 bucket and then giving individual users permissions to access objects below a user-specific prefix (see https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/). Each user has a dedicated folder that no-one else can access, and they can do what they want below that folder. There's typically no need to allow users to create individual buckets for this use case. But that may not be what you want, it's hard to tell. — jarmod, Feb 09 '20 at 01:02
@zaddyn00b When you say "grants a user account access to create new users with limited access to IAM and S3", are you referring to [Delegate permission management to developers by using IAM permissions boundaries | AWS Security Blog](https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/)? Because the policy you have shown allows the assigned user permission to do anything in S3 and CloudFormation, and also some IAM actions. — John Rotenstein, Feb 09 '20 at 05:22

score 0 · Answer 1 · answered Feb 09 '20 at 05:21

It is not possible to limit the list of buckets presented to a user. Either they have permission to list all the buckets in an account, or they do not have permission to list any buckets.

The ability to list buckets is separate to the ability to list the contents of a bucket.

AWS IAM S3 Policy

1 Answers1