AWS S3 Bucket Policy Setup for Specific Bucket Access


Setting: You want to allow user to upload data to S3 bucket using amazon cli, but do not want this specific user to see what other buckets are there in you aws account.

Solution: This can be done by setting up a policy below.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "some_number",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
]
}

If you also want to user to list all other buckets as well. Add the following additional statement to the statement section

{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": [
"arn:aws:s3:::*"
]
}

Note: Replace “bucket-name” with the name of your bucket. Also, note the Sid should be your Sid. I use the “policy generator” to help generate the policy by modifying the setting from the reference below.

Example:
Listing the content of bucket-name

aws s3 ls s3://bucket-name --region ap-northeast-2 --profile s3-bucket-username

Uploading the directory myfile_folder to the bucket

aws s3 cp myfile_folder s3://bucket-name --region ap-northeast-2 --profile s3-bucket-username

You can also try sync function

aws s3 sync myfile_folder s3://bucket-name --region ap-northeast-2 --profile s3-bucket-username

Ref: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/

Advertisements