How to give access only to a folder inside s3 bucket for an AWS IAM user?

Sometime, you want this option to limit access to an s3 buckets from a particular IAM user. This can be done by adding custom policy on IAM user without changing any policies from bucket level.

Scenario: You are AWS account owner and you want to give access to one of your web developer to a particular folder on your main s3 bucket. It’s safe to give access in this manner.

You are safe from any type of data changes in all other folders.

How to configure IAM user on your Linux machine to manage AWS accounts?

How to do that? Here you can manage your AWS services like EC2 instances, S3 buckets etc from your local machine by configuring your awscli with AWS IAM user with proper privileges.

Prerequisite – IAM user/s with proper privileges to manage the service which you want to manage from your machine. READ MORE….

Grant Access to User-Specific Folders in an Amazon S3 Bucket – IAM Policy

You can do this by following the steps pasted below:

Create an IAM user. If the user already exists, go to the policy associated with that user and add the following policy.

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket.crybit.com"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "uploads/",
                        "uploads/test/",
                        "uploads/test/folder/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket.crybit.com"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "uploads/test/folder/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket.crybit.com/uploads/test/folder/*"
            ]
        }
    ]
}

The policy itself give you the idea behind it. Let me explain it briefly:

The block 1:

The IAM user can not access any folders without this permission. Enable two permissions for Amazon S3 console access. One is ListAllMyBuckets and next GetBucketLocation. Without these two actions, the IAM will get an access denied error in the console.

Even the IAM user can list and view all buckets in the AWS account, he can not access all buckets. It’s depend on the other blocks.

The block 2: Allow listing objects in main and selected folder/s.

In this block, we selected the resource as the bucket name where the folder we want to give access to this IAM user. So, this user can list all the folder inside this bucket.

The condition is defined with prefix and delimiter. This is required to give access to sub folders.

The block 3: Allow listing objects in that particular folder.

The block 4: Allow all Amazon S3 actions in that particular folder.

That’s it!!

Try to access now. This user will get access denied for all buckets and folders except the folder we have selected.

Also read..

1. How to install AWS command line interface (awscli) on Linux?

2. Simple way to migrate s3 buckets across AWS accounts

 

Dump Mongo DB collections and move it to an S3 bucket.

Requirement: Need to write a script to create Mongo DB collections dump and move the dump to an AWS s3 bucket.

Prerequisites: SSH access to Mongo DB server, IAM user with AWS s3 full [or write] access, aws-cli on server, knowledge in Mongo commands for dump creation.

As we need to move the dump to an S3 bucket, first we need to configure IAM user. Then only we can move the dump to S3 bucket. To configure IAM, you need to install aws-cli tool on the machine.

Post navigation

Arunlal Ashok

Linux Systems Architect at Endurance International Group. I know her (Linux) since many years. Linux lover. Like to play on Linux console. I started this blog to share and discuss Linux thoughts.

Always happy for an open discussion! Write to arun (@) crybit (dot) com. Check about me for more details. About this blog and our strong members, check The team CryBit.com

5 thoughts on “How to give access only to a folder inside s3 bucket for an AWS IAM user?

Leave a Reply

Your email address will not be published. Required fields are marked *