Grant IAM User Access to Only One S3 Bucket or Folder Using IAM Policy
In this guide , We will learn to configure an IAM policy using which we can provide access to an IAM user for a Specific S3 Bucket and/or folder within the S3 Bucket.
Table of Contents
● What is IAM?
● What is the IAM Policy?
● Creating IAM Policy — Granting Single bucket Access
● Creating IAM user & Assigning IAM Policy
● Creating IAM Role & Attaching IAM Policy
● Grant IAM user access to a Folder in S3 Bucket
What is IAM?
IAM stands for Identity and Access Management. IAM is a web service Which provides authentication and authorization to the users and resources hosted in the Amazon Web Service.
What is the IAM Policy?
We can manage access in AWS by creating policies and attaching them to IAM identities such as users, groups of users, or roles and AWS resources.
A policy defines a permission which can be attached to the resources and the users.
When the IAM principal (user or role) makes a request, every time AWS evaluate those policies. Permissions determine access and the policies are stored as JSON documents.
Supported policy types:
● Identity-based
● Resource-based
● permissions boundaries
● Organizations SCPs
● ACLs
● session policies.
When you create an IAM user, you can choose to allow console or programmatic access. If console access is allowed, the IAM user can sign into the console using a username and password. Or if programmatic access is allowed, the user can use access keys to work with the CLI or API.
Creating IAM Policy
The IAM policy that we are going to create grants full access for an IAM user to the Single S3 bucket , so that he / she can manage the files and folders within the specified S3 bucket.
Login to IAM Console.
From the navigation pane , Choose Policies
There are two types of policies:
1. The policies that are managed by AWS are referred to as the AWS managed Policy.
2. The Policies that we create are called Customer managed Policy.
Let us implement an IAM policy which will grant an IAM user full access to that specific S3 bucket.
For this tutorial , Let’s say you have the bucket named as singles3bucketaccess
To Create policy → Create policy , and click JSON.
In the JSON column, Remove the existing policy and add the below policies.
{
“Version”: “2021–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:GetBucketLocation”,
“s3:ListAllMyBuckets”
],
“Resource”: “arn:aws:s3:::*”
},
{
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: [
“arn:aws:s3:::singles3bucketaccess”,
“arn:aws:s3:::singles3bucketaccess/*”
]
}
]
}
The first half of the IAM policy grants permission for an IAM user to list all the available S3 buckets / S3 console.
The second half of the IAM policy grants permission for an IAM user to access all the files and folders created within the S3 bucket : singles3bucketaccess.
Instead of granting full access to the S3 bucket , We can provide specific access to a S3 bucket action such as GetObject , ListJobs etc.
Click Next: Tags , Next: Review
Provide a name and click Create Policy.
We have created the required IAM policy.
We can now assign this IAM policy to an IAM user so that he/she can access the specified S3 bucket.
Also read: Creating EC2 Instances using Terraform
Creating IAM User & Assigning the IAM Policy
Now It’s time to attach the policy that we have created to an IAM user
To create IAM user → Choose Users
Click Add user
Enter a name for the IAM user and choose the type of AWS access they require.
Click Next: Permissions
As we already have created the IAM policy , Choose Attach existing policies directly
Search for the IAM policy which was created before and then select it.
Click Next: Review → Choose Create user
Once the user is created with the required permissions , With the help of Access Keys or AWS Console (Depending on the access type assigned for that user), They can manage the S3 bucket and the files and folders inside the bucket.
Attaching IAM Policy to IAM Role
The IAM Role acts as a medium between multiple AWS services.
Lets say , You have an EC2 instance which wants to communicate with the S3 bucket to perform certain operations such as uploading and downloading files.
In this case , We will create an IAM policy with the required permissions and then the policy will be attached to an IAM Role.
The IAM role which was created will then be attached to an EC2 instance to perform S3 operations.
To Create an IAM Role , Login to the IAM Console.
From the Navigation pane , Choose Roles.
Click Create role
Choose AWS service as trusted entity and choose EC2 as common use case
Click Next: Permissions
Choose the IAM policy that was created before
Click Next: Tags , Review and then enter the name for the IAM role and click Create role.
This IAM role can be attached with the EC2 instances so that the Instances can securely access the S3 bucket to perform S3 operations such as uploading and downloading files.
Grant IAM user access to a folder in S3 bucket
Let’s set up a custom IAM policy which grants access to specific folders within the S3 bucket.
Use case : Let’s assume you have lists of users who want to upload and download files from their respective folders within the S3 bucket.
In this case , We have to create a custom policy for each user allowing access only to their respective folders.
The first section of the policy allows the users to access the S3 console and lists the S3 buckets.
This is the minimum permission required for a user to access or list the S3 bucket.
Policy 1 : List all the S3 Buckets
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:GetBucketLocation”,
“s3:ListAllMyBuckets”
],
“Resource”: “arn:aws:s3:::*”
},
Next , The user should have the permission to list all the folders within the S3 bucket.
Policy 2 : List Folders in S3 Bucket
Replace Bucketname and Foldername in the below policy
{
“Sid”: “Statement1”,
“Action”: [“s3:ListBucket”],
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::Bucketname”],
“Condition”:{“StringEquals”:{“s3:prefix”:[“”,”Foldername”]}
}
},
Next is to create a policy which allows the user to list all the files within the folder.
You May Also Like: Tracking S3 Bucket Changes using Lambda Function
Policy 3 : List Files in a Folder
Replace Bucketname and Foldername in the below policy
{
“Sid”: “Statement2”,
“Action”: [“s3:ListBucket”],
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::Bucketname”],
“Condition”:{“StringLike”:{“s3:prefix”:[“Foldername/*”]}}
},
The Final policy is to provide actual permissions the users can perform on the files within the Folder in a S3 bucket such as upload , download , delete etc.
Policy 4 : Permission to Manage Objects in S3 Folder
Replace Bucketname and Foldername in the below policy
{
“Sid”: “Statement3”,
“Effect”: “Allow”,
“Action”: [“s3:*”],
“Resource”: [“arn:aws:s3:::Bucketname/foldername/*”]
}
]
}
All the above policies can be merged into a single custom IAM policy and then it can be assigned to a User , Role etc.
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:GetBucketLocation”,
“s3:ListAllMyBuckets”
],
“Resource”: “arn:aws:s3:::*”
},
{
“Sid”: “Statement1”,
“Action”: [“s3:ListBucket”],
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::singles3bucketaccess”],
“Condition”:{“StringEquals”:{“s3:prefix”:[“”,”folder1"]}}
},
{
“Sid”: “Statement2”,
“Action”: [“s3:ListBucket”],
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::singles3bucketaccess”],
“Condition”:{“StringLike”:{“s3:prefix”:[“folder1/*”]}}
},
{
“Sid”: “Statement3”,
“Effect”: “Allow”,
“Action”: [“s3:*”],
“Resource”: [“arn:aws:s3:::singles3bucketaccess/folder1/*”]
}
]
}
The Above policy grants an IAM user access to the files in a folder named folder1 within the S3 bucket named : singles3bucketaccess.
Other than this folder , The user won’t be able to list or access any files that are present in other folders in the same S3 bucket.
