Technical Solution

How to create custom policy to grant access for a user to an S3 bucket

Chithra.k | | 2 min read

One day my client came to me and asking about something which I was not so familiar of. His requirement can be simply put like this.
He has an amazon account and have couple of S3 buckets. He has created a new S3 bucket and a new user. He needs this user to only access this new bucket. Let's call this user "new-user" and the bucket "new-bucket". I was not sure how to do this, but eventually I was able to. Read on if you want to know how to do this.

  • Step 1 : Create a user "new-user".
  • Step 2 : Create a bucket "new-bucket".
  • Step 3 : Go to the IAM interface - Services -> IAM.(Refer Screenshot)
  • Step 4 : Click on the link Policies which will list all the current policies.
  • Step 5 : In order for the user "new-user" to allow the permission only for the bucket, "new-bucket", you will have to add two policies. First, to list all buckets. Second, to grant access to the particular bucket. To create a policy, click on the "create policy" button and select "Create Your Own Policy".(Refer Screenshot)
  • Step 6: Add the policy name and description. For eg: ListAllBuckets.
  • Step 7 : Add the following inside the policy document.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Step 7: Create a new policy to grant "new-bucket" to "new-user" with the following as the Policy document.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::new-bucket",
                "arn:aws:s3:::new-bucket/*"
            ]
        }
    ]
}
  • Step 8: Now that you have created policies, attach these to the "new-user". Click on the user link in the IAM service page. Select the "new-user" and click on Attach Policy button. Select the two newely created policies to the "new-user".

Once the new user logs in, he will be able to see all the list of buckets, but will only be able to access the bucket "new-bucket". Let me know if you need any clarification via the comment box below.

Need any further assistance get in touch with us or contact us to know more.

 

 

Related Topics