Amazon S3 Bucket User-Specific Folders Access

Every organization has an information storage system where employees can access files stored in the AWS S3 service. Sometimes your organization may want to restrict access to S3 buckets by a specific IAM user. This can be done by creating a custom policy for IAM users, without having to change any bucket-level policies.
This blog will help you understand the 8 Best Practices in Identity and Access Management (IAM).
Take a look at this scenario:
You can grant access to your web developer as an AWS account administrator/root user to a folder on your primary S3 storage bucket. This is the most secure way. The developer can only access the specific folder specified in the custom policy. All other folders are restricted access. This method protects against data changes in any other folders.
This blog will explain and demonstrate the policy. It will be associated to Shahid, an IAM user. I have also created a bucket called CloudThat with the following structure.

IAM Policy “Version”: “2021-12-06”, “Statement”: [ “Sid”: “AllowUserToSeeBucketListInTheConsole”, “Action”: [ “s3:ListAllMyBuckets”, “s3:GetBucketLocation” ], “Effect”: “Allow”, “Resource”: [ “arn:aws:s3:::*” ] , “Sid”: “AllowRootAndHomeListingOfCloudthatBucket”, “Action”: [ “s3:ListBucket” ], “Effect”: “Allow”, “Resource”: [ “arn:aws:s3:::CloudThat” ], “Condition”: “StringEquals”: “s3:prefix”: [ “”, “Developer-files/”, “Developer-files/shahid-files/” ], “s3:delimiter”: [ “/” ] , “Sid”: “AllowListingOfUserFolder”, “Action”: [ “s3:ListBucket” ], “Effect”: “Allow”, “Resource”: [ “arn:aws:s3:::CloudThat” ], “Condition”: “StringLike”: “s3:prefix”: [ ” Developer-files/shahid-files/*” ] , “Sid”: “AllowAllS3ActionsInUserFolder”, “Effect”: “Allow”, “Action”: [ “s3:*” ], “Resource”: [ “arn:aws:s3:::CloudThat/Developer-files/shahid-files/*” ] ]12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667″Version”: “2021-12-06″,”Statement”: [“Sid”: “AllowUserToSeeBucketListInTheConsole”,”Action”: [“s3:ListAllMyBuckets”,”s3:GetBucketLocation”],”Effect”: “Allow”,”Resource”: [“arn:aws:s3:::*”],”Sid”: “AllowRootAndHomeListingOfCloudthatBucket”,”Action”: [“s3:ListBucket”],”Effect”: “Allow”,”Resource”: [“arn:aws:s3:::CloudThat”],”Condition”: “StringEquals”: “s3:prefix”: [“”,”Developer-files/”,”Developer-files/shahid-files/”],”s3:delimiter”: [“/”],”Sid”: “AllowListingOfUserFolder”,”Action”: [“s3:ListBucket”],”Effect”: “Allow”,”Resource”: [“arn:aws:s3:::CloudThat”],”Condition”: “StringLike”: “s3:prefix”: [” Developer-files/shahid-files/*”],”Sid”: “AllowAllS3ActionsInUserFolder”,”Effect”: “Allow”,”Action”: [“s3:*”],”Resource”: [“arn:aws:s3:::CloudThat/Developer-files/shahid-files/*”] ]
Here’s a brief description of each block:
Block 1:
IAM users cannot view or access any S3 folders or buckets.

Posts created 195

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top