I'm trying to set up permissions in Amazon S3 where certain users can see object metadata without being able to download the actual files. The problem is that both the HeadObject and GetObject actions share the same permissions, making it impossible to limit access to just metadata through bucket policies or IAM policies. Does anyone else encounter this issue or have suggestions for managing this?
2 Answers
What’s the actual reason behind wanting to access metadata without the ability to download the file?
Exactly, like when a security person needs to check labels on boxes but doesn't need access to what's inside unless necessary.
If you're looking to provide access to metadata without giving file retrieval rights, consider using services like QuickSight to present that data through dashboards instead.
In banking, for example, developers need to monitor system traffic without seeing sensitive transaction details.