AWS, Cloud Computing

2 Mins Read

Grant Access to User-Specific Folders in an Amazon S3 Bucket

Voiced by Amazon Polly

Every organization has an information storage platform where many employees will be accessing various files stored in the AWS S3 service in the organization’s account. Sometimes, your organization wants to limit access to the S3 buckets from a particular IAM user. It can be done by adding a custom policy on IAM users without changing any bucket-level policies.

If you are new to Identity and Access Management, here is a blog to understand the 8 Best Practices of Identity and Access Management (IAM).

Consider this scenario:

As an AWS account admin/root user, you want to provide access to your web developer to a particular folder on your primary S3 bucket, and is the safest way. The developer can only access a specific folder written in the custom policy, and the rest of the folders are restricted access. This method is safe from any data changes in all other folders.

In this blog, I will show and explain the policy, which will be associated with an IAM user named Shahid. Also, I have already created a bucket named CloudThat with the following structure:

Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Policy

A brief explanation of each block:

Block 1:

The IAM user cannot view or access any S3 bucket or folders without this PERMISSION. Enable two permissions one is ListAllMyBuckets and next GetBucketLocation. These two permissions allowed the IAM user to view all the s3 buckets available in the account and view their Location.

Even the IAM user can list and view all buckets in the AWS account, but he cannot access all buckets. It depends on the other blocks.

Block 2:

Allow listing objects in the main bucket and selected folder/s.

In this block, we selected the resource as the bucket name, Cloudthat where the folder we want to give access to this IAM user. So, this user can list all the folders inside this bucket.

The condition is defined with prefix and delimiter. This is required to give access to subfolders in the S3 bucket.

Block 3:

Allow listing objects in that folder.

Block 4:

Allow all AWS S3 actions in that folder.

It is done!!!

Try to access it now. This user will get access denied for all buckets and folders except the selected folder.

Conclusion:

We have learned to write an IAM policy to manage S3 access to users, such as S3 access to only one S3 bucket and a folder level access within the S3 bucket.

There are many other IAM policy types, such as Identity-based policies, Access Control Lists (ACLs), permission boundaries, and sessions policies. Stay tuned on this platform to know more about IAM policy, and how to use them efficiently in the upcoming blogs.

If you have any queries about the topics discussed, drop a comment, and I will get back to you quickly.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

WRITTEN BY Md Shahid Afridi P

Share

Comments

  1. Rishi Raj

    Jan 25, 2022

    Reply

    Nice Piece Of Information

    • vishnu vardhan

      Jan 27, 2023

      Reply

      Hi Rishi Raj

      arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FOLDER1]/[MY FOLDER2]/[MY_FILE].txt

      I need json script for above one(folder in side the folder and folder)
      Please share me the same.

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!