Restrict IAM user to access specific s3 bucket or folder

 

Sometime organization will have a separate s3 folder for each developer to manage their document. In that case system admin has to restrict the developer to specific bucket. There two way we can achieve this  

 

1. Create a separate policy for each user

2. Create bucket name same as IAM user name and write a one policy to restrict all

 

Create a separate policy for each user

Step1: Go the IAM and select user

Step2:  Click Add User and provide user name, Access type and necessary details then click Next permission

Step3: Select attach policy from permission screen and click Create Policy button

Step4: In the create policy screen select JSON and copy paste following JSON and change the bucket name

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"s3:ListBucketMultipartUploads",

"s3:ListBucketVersions",

"s3:ListBucket",

"s3:ListMultipartUploadParts"

],

"Resource": "arn:aws:s3:::<<Bucket Name>>"

},

{

"Sid": "VisualEditor1",

"Effect": "Allow",

"Action": [

"s3:ListAllMyBuckets",

"s3:ListJobs"

],

"Resource": "*"

},

{

"Sid": "VisualEditor2",

"Effect": "Allow",

"Action": [

"s3:PutObject",

"s3:GetObject"

],

"Resource": "arn:aws:s3:::<<Bucket Name>>/*"

}

]

}

Step5: Click Review policy, enter policy name, description and click on create policy

Step6:  Click Refresh button, search and select created policy

Step 7: Click next and complete the action

 

Create folder name same as IAM user name and write a one policy to restrict all

Step1: In the IAM create a new policy with following policy

 

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "s3:ListBucketMultipartUploads",

                "s3:ListBucketVersions",

                "s3:ListBucket",

                "s3:ListMultipartUploadParts"

            ],

            "Resource": "arn:aws:s3:::${aws:username}"

        },

        {

            "Sid": "VisualEditor1",

            "Effect": "Allow",

            "Action": [

                "s3:ListAllMyBuckets",

                "s3:ListJobs"

            ],

            "Resource": "*"

        },

        {

            "Sid": "VisualEditor2",

            "Effect": "Allow",

            "Action": [

                "s3:PutObject",

                "s3:GetObject"

            ],

            "Resource": "arn:aws:s3:::${aws:username}/*"

        }

    ]

}

Step2: Attach this created policy against each user.