diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md index 239d5bbec91..f7fec4e2a9a 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identitäts- und Zugriffsverwaltung (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md index 132d80b49f2..57799b7526b 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-07-11 +updated: 2025-08-25 --- ## Objective @@ -164,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md index 984d203cf6c..68d3d532509 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestión de identidad y acceso (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md index 984d203cf6c..68d3d532509 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestión de identidad y acceso (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md index 2f8d7937ea7..1d34b3e7075 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestion des identités et des accès excerpt: Ce guide a pour objectif de vous montrer la gestion de vos identités et accès à vos ressources Object Storage -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objectif @@ -120,6 +120,24 @@ Quelques exemples de fichiers de configuration JSON : } ``` +**Refuser l'affichage de tous les buckets appartenant au compte.** + +> [!primary] +> +> L'action (`s3:ListAllMyBuckets`) est autorisée par défaut pour un utilisateur donné. Ajouter explicitement un `deny`{.action} si vous souhaitez refuser l'utilisation de l'opération d'API `ListBuckets`{.action}. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Autoriser toutes les opérations sur toutes les ressources d'un projet** ```json @@ -146,6 +164,75 @@ Quelques exemples de fichiers de configuration JSON : } ``` +**Autoriser l'accès en lecture sur les objets uniquement à des adresses IP specifiques** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Autoriser l’accès à toutes les opérations uniquement depuis certaines adresses IP en utilisant une liste blanche des adresses autorisées** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Refuser l’accès en lecture aux objets depuis certaines adresses IP en utilisant une liste noire des adresses non autorisées.** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### Liste des actions supportées | Action | Scope | @@ -176,6 +263,7 @@ Quelques exemples de fichiers de configuration JSON : | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md index 8cf9ef086d0..1d34b3e7075 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestion des identités et des accès excerpt: Ce guide a pour objectif de vous montrer la gestion de vos identités et accès à vos ressources Object Storage -updated: 2025-07-11 +updated: 2025-08-25 --- ## Objectif @@ -164,6 +164,75 @@ Quelques exemples de fichiers de configuration JSON : } ``` +**Autoriser l'accès en lecture sur les objets uniquement à des adresses IP specifiques** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Autoriser l’accès à toutes les opérations uniquement depuis certaines adresses IP en utilisant une liste blanche des adresses autorisées** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Refuser l’accès en lecture aux objets depuis certaines adresses IP en utilisant une liste noire des adresses non autorisées.** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### Liste des actions supportées | Action | Scope | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md index 832d06b2d69..f047ebf9e3f 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identità e gestione degli accessi (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md index 38f19908239..b583e7cc36b 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md @@ -1,7 +1,7 @@ --- title: Object Storage - Zarządzanie tożsamością i dostępem (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md index c23c6ff8930..9c1bd3b8bc9 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gerenciamento de identidade e acesso (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object |