Grant Access to User-Specific Folders in an Amazon S3 Bucket – IAM Policy

Create an IAM user. If the user already exists, go to the policy associated with that user and add the following policy.

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket.ucartz.com"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "uploads/",
                        "uploads/test/",
                        "uploads/test/folder/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket.ucartz.com"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "uploads/test/folder/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket.ucartz.com/uploads/test/folder/*"
            ]
        }
    ]
}

The policy itself give you the idea behind it. Let me explain it briefly:


The block 1:

An "IAM user" cannot use any folders without permission. We should grant two permissions, which is required for Amazon S3 console access namely: ListAllMyBuckets and GetBucketLocation. Without these two things, the IAM will always get a "denied error" within a console.

Despite the IAM user can list and view all buckets in the AWS account, but he can not enter all buckets.

It depends upon the additional blocks.


The block 2:
 

Allow listing objects in main and selected folder/s.

In this block, we can select the resources, as the bucket name where we want the folder to grant access to this IAM user. So, this user can list all the folder inside this bucket.

The condition we want is defined with prefix and delimiter. This is required to give access to subfolders.


The block 3:
 

Allow listing objects in that particular folder.


The block 4:
 

Allow all Amazon S3 actions in that particular folder.

That’s it !!


Was this answer helpful? 0 Users Found This Useful (0 Votes)