How can I grant a user Amazon S3 console access to only a certain bucket or folder?

4 minute read

I want to grant a user Amazon Simple Storage Service (Amazon S3) console access to a bucket or folder (prefix). However, I don't want the user to be able to see other buckets in the account, or other folders within the bucket. How can I limit the user's console access to only a certain Amazon S3 bucket or folder?

Short description

To limit a user's S3 console access to a certain bucket or folder (prefix), change the user's AWS Identity and Access Management (IAM) permissions. You can change the IAM permissions by performing the following:

1. Remove permission to the s3:ListAllMyBuckets action.

2. Add permission to s3:ListBucket only for the bucket or folder that you want the user to access.
Note: To allow the user to upload and download objects from the bucket or folder, you must also include s3:PutObject and s3:GetObject.

Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The user must access the bucket using a direct console link to the bucket or folder. The direct console link to a bucket looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/

The direct console link to a folder (such as folder2) looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/folder1/folder2/

Note: Amazon S3 uses a flat data structure instead of a file hierarchy. The console supports the concept of a folder as a way to group and organize files.

Resolution

Follow these steps to update a user's IAM permissions for console access to only a certain bucket or folder:

1. Open the IAM console.

2. From the console, open the IAM user or role that should have access to only a certain bucket.

3. In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.

4. In the JSON policy documents, search for the policy that grants the user permission to the s3:ListAllMyBuckets action or to s3:* actions (all S3 actions).

5. Modify the policy to remove permission to the s3:ListAllMyBuckets action.

Note: If an attached user policy is allowing s3:* or Full Admin access with the "*" resource, then the policy already includes the s3:ListAllMyBuckets permissions. Therefore, remove the "*" resource. Instead, make sure that you're using one of the example policies listed in this article.

6. Add permission to s3:ListBucket only for the bucket or folder that you want the user to access from the console.

The following example policy is for access to an S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
    }
  ]
}

The policy allows the user to perform the s3:ListBucket, s3:PutObject, and s3:GetObject actions only on DOC-EXAMPLE-BUCKET.

The following example policy grants access to a folder. The policy allows the user to perform the s3:ListBucket, s3:ListBucketVersions, s3:PutObject, s3:GetObject, and s3:GetObjectVersion actions only on folder2 within DOC-EXAMPLE-BUCKET. s3:ListBucketVersions and s3:GetObjectVersion are required only if the bucket has versioning turned on and you want users to have access to prior versions of objects.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToAccessFolder2Only",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/folder1/folder2/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketVersions"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "folder1/folder2/*"
          ]
        }
      }
    }
  ]
}

7. Provide the user with a direct console link to the S3 bucket or folder. The direct console link to an S3 bucket looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/

The direct console link to a folder looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/folder1/folder2/

The user must use the direct link to be able to access the S3 bucket or folder from the console.

Related information

User policy examples

Topics

Storage

Relevant content

How can I get list of files and file versions in a folder of s3 bucket using API?
rePost-User-5419755
asked a month ago
IAM Policy for s3 bucket sub-folder access that returns a successful response from the HeadBucket endpoint
ckalima
asked a month ago
Scalably grant users access to their own S3 folder
apssg
asked 5 months ago
Access the S3 folder specific to particular user authenticated using Cognito
Accepted Answer
Siddhesh
asked 8 months ago
Uploading a folder to S3
rePost-User-6305996
asked 3 months ago
How can I grant a user access to a specific folder in my Amazon S3 bucket?
AWS OFFICIALUpdated 6 months ago
How can I allow only certain file types to be uploaded to my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
Why can't I access a specific folder or file in my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published 2 months ago

How can I grant a user Amazon S3 console access to only a certain bucket or folder?

Short description

Resolution

Related information

Related videos

Relevant content