I have a list of buckets in AWS S3. I have created an IAM user. I have an option to provide S3 full or read only access for a user using groups. Is there any options to provide access only to a particular bucket?
Asked
Active
Viewed 7,729 times
5 Answers
10
Amazon's IAM roles generally grant a role access to a particular ARN (Amazon Resource Name). Amazon notes on their pages that for S3 a resource
...can be a bucket-name or a bucket-name/object-key.
They also provide a helpful example for doing just this which appears as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
James Shewey
- 3,752
- 1
- 17
- 38
2
Attach below policy to that user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
https://www.serverkaka.com/2018/05/grant-access-to-only-one-s3-bucket-to-aws-user.html
Subhash
- 1,586
- 11
- 18
1
To provide access for specific bucket, you can define the following policy for that user or group:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Where my-bucket is your name of your bucket.
Then send them the Console URL for that bucket, e.g.
https://s3.console.aws.amazon.com/s3/buckets/BUCKET_NAME/
Related:
kenorb
- 8,011
- 14
- 43
- 80
0
Add the following policy if you want to access from FTP software like WinSCP, CyberDuck, etc.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [
"arn:aws:s3:::test1",
"arn:aws:s3:::test2"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::test1/*",
"arn:aws:s3:::test2/*"
]
}
]
}
I learnt from Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
svipul
- 121
- 3
0
Since you are looking for programmatic role creation you might consider IAM Roles for EC2. Those can be applied to EC2 instances without human intervention, and they also avoid the need to store many credentials/keys, which is always nice when using automation.
thinkmassive
- 163
- 1
- 6