How to set up S3 policies for multiple IAM users so each has access only to their personal bucket folder?

0 votes

I have two users User1 and User2 that each have an IAM account in AWS. I have an s3 bucket "external_bucket.mybucket.com". In that bucket is a folder for each user account "User1" and "User2". I want to grant Read/Write access to User1 to the access User1 folder only and R/W access to User2 to the access User2 folder only. I don't want them to be able to see each others' folders in the root directory of external_bucket.mybucket.com. Is there a way to set up their IAM Policies such that this is possible?

My goal is to enable our users to connect to the S3 bucket from an S3 browser app like cloudberry so they can upload and download files to their folders only.

Any kind of advice for the best design for this is welcome.

Aug 14, 2018 in AWS by datageek
• 2,440 points
109 views

1 answer to this question.

0 votes

Something like this should work to allow User1 to only access User1's folder:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::user1/*"]
   }
 ]
}

I have taken the above piece of code from this article - Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket

Apply that as User1's policy, and then only User1 should be able to access the user1/ folder.If you substitute User2 for User1 in User2's policy, User2 should only be able to access the user2/folder.

I hope this was helpful.

answered Aug 14, 2018 by Deepthi
• 300 points

Related Questions In AWS

+1 vote
3 answers

How to get ARN for s3 Bucket using aws cli .

An ARN is a non-opaque, constructible identifier, ...READ MORE

answered Aug 16, 2018 in AWS by Priyaj
• 56,900 points
1,549 views
0 votes
1 answer

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

Setting up a SPF record is pretty ...READ MORE

answered Aug 16, 2018 in AWS by Archana
• 4,090 points
242 views
0 votes
1 answer
0 votes
1 answer

How to set up rules for Application Load Balancer?

You can configure rules for each of ...READ MORE

answered Nov 19, 2018 in AWS by Archana
• 5,560 points
47 views
+13 votes
2 answers

Git management technique when there are multiple customers and need multiple customization?

Consider this - In 'extended' Git-Flow, (Git-Multi-Flow, ...READ MORE

answered Mar 26, 2018 in DevOps & Agile by DragonLord999
• 8,380 points
204 views
+1 vote
2 answers

AWS CloudWatch Logs in Docker

The awslogs works without using ECS. you need to configure ...READ MORE

answered Sep 6, 2018 in AWS by bug_seeker
• 15,350 points
388 views
0 votes
2 answers

How to access files in S3 bucket from R?

You can take a look at the ...READ MORE

answered Aug 10, 2018 in AWS by Deepthi
• 300 points
1,302 views
0 votes
1 answer

Push Notification not sent by Amazon SNS to IOS application.

If the SNS endpoint is disabled after ...READ MORE

answered Aug 13, 2018 in AWS by Deepthi
• 300 points
701 views