How can I use IAM policies to grant user-specific access to specific S3 folders?
I want to use IAM user policies to restrict access to specific folders within Amazon Simple Storage Service (Amazon S3) buckets.
Short description
You can use AWS Identity and Access Management (IAM) user policies to control who has access to specific folders in your Amazon S3 buckets.
Resolution
Single-user policy - This example policy allows a specific IAM user to see specific folders at the first level of the bucket and then to take action on objects in the desired folders and subfolders. This example uses an IAM user named David and a bucket named my-company with the following structure:
/home/Adele/ /home/Bob/ /home/David/ /restricted/ /root-file.txt
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"], "Effect": "Allow", "Resource": "*" }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::my-company"], "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}} }, { "Sid": "AllowListingOfUserFolder", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::my-company"], "Condition":{"StringLike":{"s3:prefix":["home/David/*"]}} }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::my-company/home/David/*"] } ] }
The Amazon S3 console uses the slash (/) as a special character to show objects in folders. The prefix (s3:prefix) and the delimiter (s3:delimiter) help you organize and browse objects in your folders.
Multiple-user policy - In some cases, you might not know the exact name of the resource when you write the policy. For example, you might want to allow every user to have their own objects in an Amazon S3 bucket, as in the previous example. However, instead of creating a separate policy for each user that specifies the user's name as part of the resource, you can create a single group policy that works for any user in that group.
You can do this by using policy variables, which allow you to specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the request itself.
This example shows a policy for an Amazon S3 bucket that uses the policy variable ${aws:username}:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-company" ], "Condition": { "StringEquals": { "s3:prefix": [ "", "home/" ], "s3:delimiter": [ "/" ] } } }, { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-company" ], "Condition": { "StringLike": { "s3:prefix": [ "home/${aws:username}/*" ] } } }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::my-company/home/${aws:username}/*" ] } ] }
Note: Only StringLike recognizes an asterisk (*) as wildcard. StringEquals doesn't. For more information, see string condition operators.
Related information
Controlling access to a bucket with user policies
Contenido relevante
- OFICIAL DE AWSActualizada hace 8 meses
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 5 meses