Grant Access To Only One S3 Bucket Or Folder Using IAM Policy

In this blog post , We will learn to setup an IAM policy So that the policy can be used by the IAM Users , Roles and Groups to be able to access Only One S3 bucket and the Folder.

For detailed understanding on How to Manage S3 buckets and objects , Refer this article.

First , Lets understand the basic of IAM policy.

What Is IAM Policy?

IAM policy is an entity where we define permissions (for eg: ec2 instance , 3 bucket) and then the policy can be applied for users or roles.

By writing an custom IAM policy , We can do high level of restrict to resources for the users and roles.

The policy can be created with the help of AWS policy Generator

Creating IAM Policy

To create an IAM policy , Login to IAM Console.

In the navigation pane , Choose Policies

There are policies which are already created and managed by AWS, They are called as AWS Managed policies.

The IAM policy which we create is referred as Customer managed policy.

To create a policy , Click Create policy , and then Choose JSON.

The policy which we are going to create is for the user or the Role to access only one S3 bucket with Full access, For this tutorial , Lets consider the S3 bucket name as test-custom-policy

So we have to create the policy accordingly.

In the JSON column, Remove the existing policy and add the below policies.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "s3:GetBucketLocation",
                 "s3:ListAllMyBuckets"
             ],
            "Resource": "arn:aws:s3:::" 
         },
         {
             "Effect": "Allow",
             "Action": "s3:",
             "Resource": [
                "arn:aws:s3:::test-custom-policy",
                "arn:aws:s3:::test-custom-policy/*"
             ]
         }
     ]
}

The first section of the above policy is granting read only permission to list all the S3 buckets across AWS regions.

The second section of the policy is granting full access to test-custom-policy bucket and its object.

We can still restrict the access to particular S3 bucket by providing specific access such as GetObject.

Once the policy is applied , Click Review policy.

Provide a name for the policy and then click Create.

Now that we have required policy.

Its time to assign this policy to the required Users , groups or roles.

Assigning Policy To IAM User

Lets go ahead and assign the IAM policy which we have created , So that the IAM user can get the access to manage the Objects of the Specific S3 bucket as per the policy.

To create an IAM user , In the navigation pane , Choose Users

Click Add user

Provide a name for the IAM user.

Then we are going to choose the access type the user can use to access AWS resources.

As per the user’s requirement , We can grant either Console access or Programmatic access.

Click Next: Permissions

As we already have created the IAM policy , Choose Attach existing polices directly

Search for the IAM policy and then select it.

Click Next: Tags , We can optionally add tags to the users.

Click Next: Review and then Choose Create user

Once the users is created with the required permissions , With the help of Access Keys or AWS Cosnsole (Depending the access type assigned for that user), They can manage S3 bucket and its objects.

Assigning IAM Policy To Roles

IAM Roles are the medium using which the AWS services can communicate between each other.

Lets say , If One the EC2 Instance wants to access a particular S3 bucket , Then we will create an IAM Role and attach the policy with it.

Finally , The IAM Role can be attached with that EC2 Instance.

For better understanding of IAM Roles and assigning Roles to the EC2 Instance , I have published an separate article , Check this out

Once the Role is assigned with the EC2 Instance , The Instance can access the S3 bucket for which they have access.

Assigning Policies To Groups

Lets say , There is a team of 10 members working for a project , and everyone in the team needs full access to S3 bucket So that they can manage objects within it.

So Instead of assigning policies separately for each users , We will create a Group , Add all the users there and assign the IAM policy with it.

To create a Group , Login to IAM Console.In the Left Navigation pane , Choose Groups

Click Create New group

Provide a name for the Group and click Next step

Here we will attach the S3 policy which we have created earlier and Click Next step

Review the group and Click Create Group

If you wish to add or remove users from the group , Select the Group and Under Group Actions , Select Add Users to Group

You will find the lists of available IAM Users , Select the IAM user and choose Add users

To remove an user from the group , Select the Group and Under Group Actions , Choose Remove Users from Group

Select the users and click Remove users.

Granting IAM User Access To Specific Folder In S3 Bucket

In this previous policy , We have granted full access to S3 bucket for Users , Group and Instance.

If you have lists of users where you want them to access only the specific folders in the S3 bucket.Then We have to create an IAM policy according and assign to them.

We can also restrict the permissions for the users for the objects with the folder of S3 bucket.

Lets segregate the policy and understand them better as shown below.

The users need to list all the bucket in the AWS account.Restricting this access won’t allow user to access the S3 console itself.

{
   "Version": "2012-10-17",
   "Statement": [
       {
          "Effect": "Allow",
          "Action": [
              "s3:GetBucketLocation",
              "s3:ListAllMyBuckets"
          ],
          "Resource": "arn:aws:s3:::"
},

The user is able to list all the bucket in the AWS account.next we need to grant user to list all the folders within the S3 bucket.

Here is the policy to list all the folders with the S3 bucket.

{
    "Sid": "Statement1",
    "Action": ["s3:ListBucket"],
    "Effect": "Allow",
    "Resource": ["arn:aws:s3:::Bucketname"],
    "Condition":{"StringEquals":{"s3:prefix":["","Foldername"]}}
  },

After they get the access to list all the folders within the S3 bucket , The next step is to write a policy to list all the objects within the folder.

{
   "Sid": "Statement2",
   "Action": ["s3:ListBucket"],
   "Effect": "Allow",
   "Resource": ["arn:aws:s3:::Bucketname"],
   "Condition":{"StringLike":{"s3:prefix":["Foldername/*"]}}
  },

Finally We are going to write a policy to manage objects in a specific folder of S3 bucket.

{
   "Sid": "Statement3",
   "Effect": "Allow",
   "Action": ["s3:*"],
   "Resource": ["arn:aws:s3:::Bucketname/foldername/*"]
  }
 ]
}

We group all the policies and configure as a single policy while creating an IAM policy.

By doing so , The Users can have access to specific folder within the S3 bucket.

Conclusion

We have learnt to write an IAM policy to manage S3 access to users such as S3 acces to Only one S3 bucket and a folder level access within the S3 bucket.

Hope you find it helpful.Please do check out my other publications.

Grant Access To Only One S3 Bucket Or Folder Using IAM Policy

What Is IAM Policy?

Creating IAM Policy

Assigning Policy To IAM User

Assigning IAM Policy To Roles

Assigning Policies To Groups

Granting IAM User Access To Specific Folder In S3 Bucket

Conclusion

Host A Static Website Using S3 And Cloudfront

How To Change The Size Of RDS Instances

Mount EFS File System On EC2 Instances

Deploy Applications Using Elastic Beanstalk

Track S3 Bucket Changes Using Lamda