Grant an IAM user access to a single S3 bucket

"In this guide , We will learn to configure an IAM policy using which we can provide access to an IAM user for a Specific S3 Bucket and/or folder within the S3 Bucket."

• IAM is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access.
  

• IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Console or CLI.

• Amazon S3 provides object storage, which is built for storing and recovering any amount data from anywhere over the internet. It provides this storage through a web services interface.

Creating IAM Policy

The IAM policy that we are going to create grants full access for an IAM user to the Single S3 bucket , so that user can manage the files and folders within the specified S3 bucket.

Login to IAM Console.

From the navigation pane , Choose Policies

There are two types of policies:

1. The policies that are managed by AWS are referred to as the AWS managed Policy.
2. The Policies that we create are called Customer managed Policy.

Let us implement an IAM policy which will grant an IAM user full access to that specific S3 bucket.

For this tutorial , Let’s say you have the bucket named as singles3bucketaccess

To Create policy → Create policy , and click JSON.

In the JSON column, Remove the existing policy and add the below policies.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::singles3bucketaccess", "arn:aws:s3:::singles3bucketaccess/*" ] } ] }

• The first half of the IAM policy grants permission for an IAM user to list all the available S3 buckets / S3 console.

• The second half of the IAM policy grants permission for an IAM user to access all the files and folders created within the S3 bucket : singles3bucketaccess.

Instead of granting full access to the S3 bucket , We can provide specific access to a S3 bucket action such as GetObject , ListJobs etc.

• Click Next: Tags , Next: Review

Provide a policy name singles3bucketaccess-iam-policy and click Create Policy.

• We have created the required IAM policy.

Finally We can assign this IAM policy to an IAM user so that User can access the specified S3 bucket. 

====================END====================

 

 

Additional & Optional.........

 

Grant IAM user access to a folder in S3 bucket
Let’s set up a custom IAM policy which grants access to specific folders within the S3 bucket.

Use case : Let’s assume you have lists of users who want to upload and download files from their respective folders within the S3 bucket.

In this case , We have to create a custom policy for each user allowing access only to their respective folders.

The first section of the policy allows the users to access the S3 console and lists the S3 buckets.

This is the minimum permission required for a user to access or list the S3 bucket.

Policy 1 : List all the S3 Buckets

{ "Version": "2012–10–17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" },

• Next , The user should have the permission to list all the folders within the S3 bucket.

Policy 2 : List Folders in S3 Bucket

• Replace Bucketname and Foldername in the below policy

{ "Sid": "Statement1", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::Bucketname"], "Condition":{"StringEquals":{"s3:prefix":["","Foldername"]} } },

• Next is to create a policy which allows the user to list all the files within the folder.

Policy 3 : List Files in a Folder

• Replace Bucketname and Foldername in the below policy

{ "Sid": "Statement2", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::Bucketname"], "Condition":{"StringLike":{"s3:prefix":["Foldername/*"]}} },

• The Final policy is to provide actual permissions the users can perform on the files within the Folder in a S3 bucket such as upload , download , delete etc.

Policy 4 : Permission to Manage Objects in S3 Folder

• Replace Bucketname and Foldername in the below policy

{ "Sid": "Statement3", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::Bucketname/foldername/*"] } ] }

• All the above policies can be merged into a single custom IAM policy and then it can be assigned to a User , Role etc.

 

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "Statement1", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::singles3bucketaccess"], "Condition":{"StringEquals":{"s3:prefix":["","folder1"]}} }, { "Sid": "Statement2", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::singles3bucketaccess"], "Condition":{"StringLike":{"s3:prefix":["folder1/*"]}} }, { "Sid": "Statement3", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::singles3bucketaccess/folder1/*"] } ] }

The Above policy grants an IAM user access to the files in a folder named folder1 within the S3 bucket named : singles3bucketaccess.

Other than this folder , The user won’t be able to list or access any files that are present in other folders in the same S3 bucket.