IAM Policy to list specific folders inside a S3 bucket for an user

I have below keys under the bucket demo.for.customers

demo.for.customers/customer1/
demo.for.customers/customer2/

Now I have 2 customers namely customer1 and customer2. This is what I want:

  1. Grant them access to only demo.for.customers bucket.
  2. customer1 should be able to access only demo.for.customers/customer1/ and customer2 should be able to access only demo.for.customers/customer2/.

And I am able to achieve this with below policy ( I am creating policy for each customer. Hence I am pasting the one only for customer1 below.) I have defined this policy in IAM and not in S3.

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
   {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::demo.for.customers"],
      "Condition":{"StringEquals":{"s3:prefix":["","customer1/"],"s3:delimiter":["/"]}}
   },
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::demo.for.customers/customer1/*"]
    }
]
}

Problem:

  1. Customer1 is able to see all my bucket although he can't access any of them . I don't want this. He should be able to see only demo.for.customers
  2. Customer1 is able to see demo.for.customers/customer2 as well although he can't access it. THis is highly unacceptable as I don't want him to even see what other customer folders I have under this bucket.

QUESTIONS:

  1. After doing a lot of googling, I came to know that there is no way to list specific buckets. Is this really true?
  2. However, I have to find a way to list only specific folders inside a bucket for a given user. How to do that?

Thanks.


ANSWERS:


Regarding your problems:

  1. Unfortunately there is no way to list only certain buckets. If the intent is just to allow access to the one known bucket, I would remove the first statement entirely as it does not add any value (the bucket is already known and would not need to be listed).
  2. Can you show the code you are using to list the bucket contents? Based on what you've shown here I would expect customer1 to only be able to list the bucket contents at the root of their prefix and nowhere else.

Regarding your questions:

  1. Yes, there is no way to list certain buckets. The list buckets API is an all or nothing operation.
  2. This is done by prefix. What language are you using? We have a sample for the AWS Mobile SDKs that uses a Token Vending Machine to deliver per user access to an S3 bucket.


 MORE:


 ? S3 IAM policy works in simulator, but not in real life
 ? Accessing a us-west-2 S3 bucket using Amazon Cognito and an IAM policy
 ? How to add the drop down for IAM role in cloudformartion script?
 ? How to add the drop down for IAM role in cloudformartion script?
 ? How to add the drop down for IAM role in cloudformartion script?
 ? Can IAM role temporary credentials be used in cloudformation templates?
 ? Associating an existing IAM role with AWS::EC2::Instance in CloudFormation
 ? How to specify lambda function and IAM role name in cloudformation template
 ? Associating multiple IAM role with AWS::IAM::InstanceProfile in CloudFormation
 ? hard-coding "identity-pool id' for 'aws cognito' is dangerous in security?