Every organization has an information storage system where employees can access files stored in the AWS S3 service. Sometimes your organization may want to restrict access to S3 buckets by a specific IAM user. This can be done by creating a custom policy for IAM users, without having to change any bucket-level policies.
This blog will help you understand the 8 Best Practices in Identity and Access Management (IAM).
Take a look at this scenario:
You can grant access to your web developer as an AWS account administrator/root user to a folder on your primary S3 storage bucket. This is the most secure way. The developer can only access the specific folder specified in the custom policy. All other folders are restricted access. This method protects against data changes in any other folders.
This blog will explain and demonstrate the policy. It will be associated to Shahid, an IAM user. I have also created a bucket called CloudThat with the following structure.
/CloudThat/Developer-files/CloudThat/client-files/CloudThat/infra-files12345/CloudThat/Developer-files/CloudThat/client-files/CloudThat/infra-files
Policy
IAM Policy “Version”: “2021-12-06”, “Statement”: [ “Sid”: “AllowUserToSeeBucketListInTheConsole”, “Action”: [ “s3:ListAllMyBuckets”, “s3:GetBucketLocation” ], “Effect”: “Allow”, “Resource”: [ “arn:aws:s3:::*” ] , “Sid”: “AllowRootAndHomeListingOfCloudthatBucket”, “Action”: [ “s3:ListBucket” ], “Effect”: “Allow”, “Resource”: [ “arn:aws:s3:::CloudThat” ], “Condition”: “StringEquals”: “s3:prefix”: [ “”, “Developer-files/”, “Developer-files/shahid-files/” ], “s3:delimiter”: [ “/” ] , “Sid”: “AllowListingOfUserFolder”, “Action”: [ “s3:ListBucket” ], “Effect”: “Allow”, “Resource”: [ “arn:aws:s3:::CloudThat” ], “Condition”: “StringLike”: “s3:prefix”: [ ” Developer-files/shahid-files/*” ] , “Sid”: “AllowAllS3ActionsInUserFolder”, “Effect”: “Allow”, “Action”: [ “s3:*” ], “Resource”: [ “arn:aws:s3:::CloudThat/Developer-files/shahid-files/*” ] ]12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667″Version”: “2021-12-06″,”Statement”: [“Sid”: “AllowUserToSeeBucketListInTheConsole”,”Action”: [“s3:ListAllMyBuckets”,”s3:GetBucketLocation”],”Effect”: “Allow”,”Resource”: [“arn:aws:s3:::*”],”Sid”: “AllowRootAndHomeListingOfCloudthatBucket”,”Action”: [“s3:ListBucket”],”Effect”: “Allow”,”Resource”: [“arn:aws:s3:::CloudThat”],”Condition”: “StringEquals”: “s3:prefix”: [“”,”Developer-files/”,”Developer-files/shahid-files/”],”s3:delimiter”: [“/”],”Sid”: “AllowListingOfUserFolder”,”Action”: [“s3:ListBucket”],”Effect”: “Allow”,”Resource”: [“arn:aws:s3:::CloudThat”],”Condition”: “StringLike”: “s3:prefix”: [” Developer-files/shahid-files/*”],”Sid”: “AllowAllS3ActionsInUserFolder”,”Effect”: “Allow”,”Action”: [“s3:*”],”Resource”: [“arn:aws:s3:::CloudThat/Developer-files/shahid-files/*”] ]
Here’s a brief description of each block:
Block 1:
IAM users cannot view or access any S3 folders or buckets.
![AWS is preferred by Python programmers according to a survey of Python developers. While they don’t use a cloud platform all the time, most respondents prefer Amazon Web Services Inc. (AWS) when they do. The 2018 Python Developers Survey surveyed more than 20,000 developers in more than 150 countries. This revealed that 55 percent of Python users prefer AWS to cloud platforms. The second place is Google Cloud Platform, followed by DigitalOcean and Microsoft Azure. A third of respondents don’t use any cloud services. [Click on the image to see a larger view.] Top Cloud Platforms (source : Python Software Foundation). “In addition to the popular cloud platforms mentioned above, we identified OpenStack and Linode getting 6 percent each, OpenShift 3%, and Rackspace 2%,” the report continued. The report also contains other cloud-related insights:](http://globalreachtoday.com/wp-content/uploads/2022/11/picture-7-600x400.jpg)
