How to give access only to a folder inside s3 bucket for an AWS IAM user?

Sometime, you want this option to limit access to an s3 buckets from a particular IAM user. This can be done by adding custom policy on IAM user without changing any policies from bucket level.

Scenario: You are AWS account owner and you want to give access to one of your web developer to a particular folder on your main s3 bucket. It’s safe to give access in this manner.

You are safe from any type of data changes in all other folders.

How to configure IAM user on your Linux machine to manage AWS accounts?

How to do that? Here you can manage your AWS services like EC2 instances, S3 buckets etc from your local machine by configuring your awscli with AWS IAM user with proper privileges.

Prerequisite – IAM user/s with proper privileges to manage the service which you want to manage from your machine. READ MORE….

Grant Access to User-Specific Folders in an Amazon S3 Bucket – IAM Policy

You can do this by following the steps pasted below:

Create an IAM user. If the user already exists, go to the policy associated with that user and add the following policy.

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket.crybit.com"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "uploads/",
                        "uploads/test/",
                        "uploads/test/folder/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket.crybit.com"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "uploads/test/folder/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket.crybit.com/uploads/test/folder/*"
            ]
        }
    ]
}

The policy itself give you the idea behind it. Let me explain it briefly:

The block 1:

The IAM user can not access any folders without this permission. We have to give him two permissions that are required for Amazon S3 console access: ListAllMyBuckets and GetBucketLocation. Without these two actions, the IAM will get an access denied error in the console.

Even the IAM user can list and view all buckets in the AWS account, he can not access all buckets. It’s depend on the other blocks.

The block 2: Allow listing objects in main and selected folder/s.

In this block, we selected the resource as the bucket name where the folder we want to give access to this IAM user. So, this user can list all the folder inside this bucket.

The condition we want is defined with prefix and delimiter. This is required to give access to sub folders.

The block 3: Allow listing objects in that particular folder.

The block 4: Allow all Amazon S3 actions in that particular folder.

That’s it!!

Try to access now. This user will get access denied for all buckets and folders except the folder we have selected.

Also read..

1. How to install AWS command line interface (awscli) on Linux?

2. Simple way to migrate s3 buckets across AWS accounts

Arunlal Ashok

Linux Cloud Infrastructure / DevOps Engineer. I'm dealing Linux servers since 2012. I started this blog to share and discuss my ideas.

Always happy for an open discussion! Write to arun (@) crybit (dot) com. Check about me for more details. About this blog and our strong members, check The team CryBit.com

Leave a Reply

Your email address will not be published. Required fields are marked *