How to restrict the S3 buckets listing in the Visual Studio AWS explorer

Question

I am setting up the AWS toolkit in the Visual Studio. I have created an IAM user which will be used for development.

But for the IAM user I have configured I am seeing that it cannot see the S3 buckets in the explorer. It gives "Access denied".

This is the custom role assigned to the IAM user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListing",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::dev-buckets"
        },
        {
            "Sid": "AllowReadWriteDel",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::dev-buckets/*"
        }
    ]
}

The only way I can get it working is by adding "AmazonS3FullAccess" policy to the IAM user. But then it exposes all the buckets in the account. Not just the buckets meant for the developers.

Is it possible to do using a custom policy? I am a beginner.

Answer 1

You cannot only list specific bucket when trying to list buckets.

I think the following policy should help you out:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                        "s3:GetBucketLocation",
                        "s3:ListAllMyBuckets"
                      ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::dev-buckets",
                "arn:aws:s3:::dev-buckets/*"
            ]
        }
    ] 
}