我有一定的群体只有读至中三只设置访问权限的IAM然而，该集团仍可以看到所有在管理控制台中的其他服务和一走进去。当用户试图做一些事情，一条消息将显示为未授权等等，但是，我想这组只看到在管理控制台中的一个服务。

I have setup IAM permissions for a certain group to only have read only access to S3, however, the group can still see all the other services in the management console and go into them. As soon as the user tries to do something, a message will read "Not authorised" and so on, however, I would like this group to only see the one service in the management console.

因此​​，当从该组中的用户登录时，他们所看到的是S3。

So when a user from this group logs in, all they see is S3.

这怎么可能？

推荐答案

从 AWS管理控制台是不可能的，现在，很遗憾。 AWS目前正在重新设计的控制台，虽然，这的可能的包括这样的选择的道路按照各自的常见问题的你为什么改变了中控台设计：

Hiding services from the AWS Management Console is not possible right now, unfortunately. AWS is currently redesigning the console though, and this might include such options down the road as per the respective FAQ Why are you changing the console design?:

我们的目标是提高信息显示，使互动更加一致，支持设备，如平板电脑，，并提供一个可定制的体验。你会看到这些改进和视觉更新铺开我们的服务在未来几个月内。 [...]的 [重点煤矿] 的

Our goal is to improve information display, make interactions more consistent, support devices such as tablets, and deliver a customizable experience. You will see these improvements and visual updates rolled out across our services over the coming months. [...] [emphasis mine]

不过，在这一点上提及的定制的体验的只可能指的是最近推出的资源组，并标记为AWS ，其中的允许您轻松地创建，维护和查看有着共同的标签的资源的集合：

However, at this point the mentioned customizable experience likely only refers to the recently introduced Resource Groups and Tagging for AWS, which allow you to easily create, maintain, and view a collection of resources that share common tags:

[...]默认情况下，AWS管理控制台通过AWS服务组织。但随着资源组工具，您可以创建一个自定义控制台，组织和整合，你需要根据你的项目，你使用的资源的信息。如果您在多个地区管理资源，您可以创建一个资源组来查看同一屏幕上不同区域的资源。 [重点煤矿] 的

[...] By default, the AWS Management Console is organized by AWS service. But with the Resource Groups tool, you can create a custom console that organizes and consolidates the information you need based on your project and the resources you use. If you manage resources in multiple regions, you can create a resource group to view resources from different regions on the same screen.[emphasis mine]

的做法，确实可以创建和共享被限制在资源类型 S3桶（即初始视图将只限于S3资源组桶） - 然而，就像与正规控制台视图，这并不prevent您的用户可以自行随意漫游控制台的其他区域，即你不能强制执行所需的限制，而仅在此方向引导。

Based on this new cross region Resource Groups approach, it is indeed possible to create and share a resource group that is constrained to the resource type S3 Buckets (i.e. the initial view would be limited to just S3 buckets) - however, just like with the regular console view, this doesn't prevent your users to roam freely around other areas of the console by themselves, i.e. you cannot enforce the desired limitation, rather only guide in this direction.