Voiced by Amazon Polly |
Every organization has an information storage platform where many employees will be accessing various files stored in the AWS S3 service in the organization’s account. Sometimes, your organization wants to limit access to the S3 buckets from a particular IAM user. It can be done by adding a custom policy on IAM users without changing any bucket-level policies.
If you are new to Identity and Access Management, here is a blog to understand the 8 Best Practices of Identity and Access Management (IAM).
Consider this scenario:
As an AWS account admin/root user, you want to provide access to your web developer to a particular folder on your primary S3 bucket, and is the safest way. The developer can only access a specific folder written in the custom policy, and the rest of the folders are restricted access. This method is safe from any data changes in all other folders.
In this blog, I will show and explain the policy, which will be associated with an IAM user named Shahid. Also, I have already created a bucket named CloudThat with the following structure:
1 2 3 4 5 |
/CloudThat/Developer-files /CloudThat/client-files /CloudThat/infra-files |
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
Policy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
{ "Version": "2021-12-06", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "AllowRootAndHomeListingOfCloudthatBucket", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::CloudThat" ], "Condition": { "StringEquals": { "s3:prefix": [ "", "Developer-files/", "Developer-files/shahid-files/" ], "s3:delimiter": [ "/" ] } } }, { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::CloudThat" ], "Condition": { "StringLike": { "s3:prefix": [ " Developer-files/shahid-files/*" ] } } }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::CloudThat/Developer-files/shahid-files/*" ] } ] } |
A brief explanation of each block:
Block 1:
The IAM user cannot view or access any S3 bucket or folders without this PERMISSION. Enable two permissions one is ListAllMyBuckets and next GetBucketLocation. These two permissions allowed the IAM user to view all the s3 buckets available in the account and view their Location.
Even the IAM user can list and view all buckets in the AWS account, but he cannot access all buckets. It depends on the other blocks.
Block 2:
Allow listing objects in the main bucket and selected folder/s.
In this block, we selected the resource as the bucket name, Cloudthat where the folder we want to give access to this IAM user. So, this user can list all the folders inside this bucket.
The condition is defined with prefix and delimiter. This is required to give access to subfolders in the S3 bucket.
Block 3:
Allow listing objects in that folder.
Block 4:
Allow all AWS S3 actions in that folder.
It is done!!!
Try to access it now. This user will get access denied for all buckets and folders except the selected folder.
Conclusion:
We have learned to write an IAM policy to manage S3 access to users, such as S3 access to only one S3 bucket and a folder level access within the S3 bucket.
There are many other IAM policy types, such as Identity-based policies, Access Control Lists (ACLs), permission boundaries, and sessions policies. Stay tuned on this platform to know more about IAM policy, and how to use them efficiently in the upcoming blogs.
If you have any queries about the topics discussed, drop a comment, and I will get back to you quickly.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
WRITTEN BY Md Shahid Afridi P
Rishi Raj
Jan 25, 2022
Nice Piece Of Information
vishnu vardhan
Jan 27, 2023
Hi Rishi Raj
arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FOLDER1]/[MY FOLDER2]/[MY_FILE].txt
I need json script for above one(folder in side the folder and folder)
Please share me the same.
Click to Comment