How to set up S3 policies for multiple IAM users so each has access only to their personal bucket folder

0 votes

I have two users User1 and User2 that each have an IAM account in AWS. I have an s3 bucket "external_bucket.mybucket.com". In that bucket is a folder for each user account "User1" and "User2". I want to grant Read/Write access to User1 to the access User1 folder only and R/W access to User2 to the access User2 folder only. I don't want them to be able to see each others' folders in the root directory of external_bucket.mybucket.com. Is there a way to set up their IAM Policies such that this is possible?

My goal is to enable our users to connect to the S3 bucket from an S3 browser app like cloudberry so they can upload and download files to their folders only.

Any kind of advice for the best design for this is welcome.

Aug 14, 2018 in AWS by datageek
• 2,540 points
3,211 views

1 answer to this question.

0 votes

Something like this should work to allow User1 to only access User1's folder:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::user1/*"]
   }
 ]
}

I have taken the above piece of code from this article - Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket

Apply that as User1's policy, and then only User1 should be able to access the user1/ folder.If you substitute User2 for User1 in User2's policy, User2 should only be able to access the user2/folder.

I hope this was helpful.

answered Aug 14, 2018 by Deepthi
• 300 points
Is it possible to allow access to common folder in root directory for the two users ?

Hi@Vincy,

Are you trying to say that an S3 bucket has two users? Can you explain your query a little bit more? So that we can help you as soon as possible.

Related Questions In AWS

+1 vote
3 answers

How to get ARN for s3 Bucket using aws cli .

An ARN is a non-opaque, constructible identifier, ...READ MORE

answered Aug 16, 2018 in AWS by Priyaj
• 58,100 points
5,570 views
0 votes
1 answer

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

Setting up a SPF record is pretty ...READ MORE

answered Aug 16, 2018 in AWS by Archana
• 4,170 points
1,553 views
0 votes
1 answer
+15 votes
2 answers

Git management technique when there are multiple customers and need multiple customization?

Consider this - In 'extended' Git-Flow, (Git-Multi-Flow, ...READ MORE

answered Mar 27, 2018 in DevOps & Agile by DragonLord999
• 8,450 points
3,954 views
+1 vote
2 answers

AWS CloudWatch Logs in Docker

The awslogs works without using ECS. you need to configure ...READ MORE

answered Sep 7, 2018 in AWS by bug_seeker
• 15,520 points
1,967 views
0 votes
2 answers

How to access files in S3 bucket from R?

You can take a look at the ...READ MORE

answered Aug 10, 2018 in AWS by Deepthi
• 300 points
6,579 views
0 votes
1 answer

Push Notification not sent by Amazon SNS to IOS application.

If the SNS endpoint is disabled after ...READ MORE

answered Aug 14, 2018 in AWS by Deepthi
• 300 points
5,280 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP