Comments (5)
simonw
commented on July 19, 2024
There are 50 s3 read and 10 s3 list permissions listed here: https://iam-definitions.vercel.app/iam/privileges?service__exact=s3&_sort=rowid&_facet=access_level&access_level__in=Read,List&_nocol=resource_types&_nocol=access_level
- s3:DescribeJob
- s3:DescribeMultiRegionAccessPointOperation
- s3:GetAccelerateConfiguration
- s3:GetAccessPoint
- s3:GetAccessPointConfigurationForObjectLambda
- s3:GetAccessPointForObjectLambda
- s3:GetAccessPointPolicy
- s3:GetAccessPointPolicyForObjectLambda
- s3:GetAccessPointPolicyStatus
- s3:GetAccessPointPolicyStatusForObjectLambda
- s3:GetAccountPublicAccessBlock
- s3:GetAnalyticsConfiguration
- s3:GetBucketAcl
- s3:GetBucketCORS
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketNotification
- s3:GetBucketObjectLockConfiguration
- s3:GetBucketOwnershipControls
- s3:GetBucketPolicy
- s3:GetBucketPolicyStatus
- s3:GetBucketPublicAccessBlock
- s3:GetBucketRequestPayment
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetEncryptionConfiguration
- s3:GetIntelligentTieringConfiguration
- s3:GetInventoryConfiguration
- s3:GetJobTagging
- s3:GetLifecycleConfiguration
- s3:GetMetricsConfiguration
- s3:GetMultiRegionAccessPoint
- s3:GetMultiRegionAccessPointPolicy
- s3:GetMultiRegionAccessPointPolicyStatus
- s3:GetObject
- s3:GetObjectAcl
- s3:GetObjectLegalHold
- s3:GetObjectRetention
- s3:GetObjectTagging
- s3:GetObjectTorrent
- s3:GetObjectVersion
- s3:GetObjectVersionAcl
- s3:GetObjectVersionForReplication
- s3:GetObjectVersionTagging
- s3:GetObjectVersionTorrent
- s3:GetReplicationConfiguration
- s3:GetStorageLensConfiguration
- s3:GetStorageLensConfigurationTagging
- s3:GetStorageLensDashboard
- s3:ListAccessPoints
- s3:ListAccessPointsForObjectLambda
- s3:ListAllMyBuckets
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListBucketVersions
- s3:ListJobs
- s3:ListMultiRegionAccessPoints
- s3:ListMultipartUploadParts
- s3:ListStorageLensConfigurations
from s3-credentials.
simonw
commented on July 19, 2024
AWS are dropping Torrent support: https://github.com/awsdocs/amazon-s3-userguide/blob/0d1759880ccb1818ab0f14129ba1321c519d2ac1/doc_source/S3Torrent.md - so I won't include GetObjectTorrent or GetObjectVersionTorrent.
from s3-credentials.
simonw
commented on July 19, 2024
I'm going with:
s3:GetObject
s3:GetObjectAcl
s3:GetObjectLegalHold
s3:GetObjectRetention
s3:GetObjectTagging
And from the List family:
s3:ListBucket
I decided NOT to include the "get version" ones:
s3:GetObjectVersion
s3:GetObjectVersionAcl
s3:GetObjectVersionForReplication
s3:GetObjectVersionTagging
s3:ListBucketVersions
I'm not including these because it feels like it would be a surprise if you said "this client has read-only permissions" and the client could then retrieve information about previous versions of objects in the bucket - when you updated them you may have done so to remove information that you didn't want visible, for example.
from s3-credentials.
simonw
commented on July 19, 2024
Also not including the ones relating to multi-part uploads:
s3:ListBucketMultipartUploads
s3:ListMultipartUploadParts
Those seem like they should be reserved for clients that are writing to the bucket and may need to continue an upload.
from s3-credentials.
simonw
commented on July 19, 2024
I'm going to add GetBucketLocation too, see #15 (comment)
from s3-credentials.
Related Issues (20)
- Way to make an existing bucket public or private HOT 1
- Convert README into documentation website HOT 3
- Make it easier to add extra policy statements HOT 10
- Provide a `--profile` option to allow AWS profile selection HOT 3
- Using --policy should imply --user-permissions-boundary=none HOT 2
- s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours HOT 5
- KeyError if listing bucket with no items returned
- s3-credentials list-buckets --details should show region and website URL, if configured HOT 2
- `s3-credentials get-objects` command HOT 7
- `get-objects/put-objects` `--skip` and `--skip-hash` options HOT 1
- Add the options to add tags to the created resources HOT 3
- `set-public-policy` command HOT 5
- Add s3:PutObjectAcl to write policies HOT 3
- `s3-credentials delete-objects` command HOT 11
- Mysterious test failure in `test_put_objects` HOT 4
- debug-bucket command HOT 2
- Command to make a bucket public HOT 4
- `s3-credentials create name-of-bucket --create-bucket --public` fails with error HOT 4
- `s3-credentials list-bucket --urls` option HOT 1
- CI failures, including ImportError: cannot import name 'mock_s3' from 'moto' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s3-credentials.