By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

How can I grant a user access to a specific folder in my Amazon S3 bucket?

4 minute read
1

I want to restrict an AWS Identity and Access Management (IAM) user to access only specific folders in Amazon Simple Storage Service (Amazon S3).

Resolution

If the user and bucket belong to the same AWS account, then use an IAM policy to grant the user access to the bucket folder. If the IAM policy grants access, then you don't need to update the bucket policy.

Note: If the Amazon S3 bucket policy explicitly denies the IAM user access to the folder, then you must update the bucket policy.

If the IAM user and S3 bucket belong to different AWS accounts, then grant access on both the IAM policy and the bucket policy. For more information, see How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?

Single-user policy

The following example IAM policy grants a user named David full access to only his folder (/home/David).

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowStatement1",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowStatement2A",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
     "Condition":{"StringEquals":{"s3:prefix":["","home/", "home/David"],"s3:delimiter":["/"]}}
    },
  {
     "Sid": "AllowStatement3",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
     "Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
    },    
   {
     "Sid": "AllowStatement4A",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/David/*"]
   }
 ]
}

The policy includes these statements:

  • AllowStatement1: Allows the user to list the buckets that belong to their AWS account. This permission allows the user to navigate to the bucket in the console.
  • AllowStatement2A: Allows the user to list the folders within DOC-EXAMPLE-BUCKET. This permission allows the user to navigate to the folder in the console.
  • AllowStatement3: Allows the user to list the contents within the DOC-EXAMPLE-BUCKET/home/David folder.
  • AllowStatement4A: Allows all actions, such as read, write, and delete permissions, within only the DOC-EXAMPLE-BUCKET/home/David folder.

Multiple-user policy

In some cases, you don't know the exact name of the resource when you write the policy. For example, you want to allow every user to have their own objects in an Amazon S3 bucket. Instead of creating individual policies for each user, use policy variables to create a group policy that applies to multiple users. Policy variables allow you to specify placeholders in a policy. When you make a request to AWS, a value from the request replaces the placeholder when the policy is evaluated.

The following example shows a policy for an Amazon S3 bucket that uses the policy variable ${aws:username}:

Note: This article uses the aws:username key and returns the user's friendly name, such as "Adele" or "David." This value is obtained from the username that you provide when you create the IAM user. In some cases, it's better to use a respective globally unique value. For example, when you use an IAM role, the value of aws:username might not be valid for that IAM entity. For more information, see Principal key values.

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::*"]
    },
    {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
      "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
      "Condition":{"StringLike":{"s3:prefix":
                  [
                       "home/${aws:username}/*",
                       "home/${aws:username}"
                  ]
               }
        }
    },
    {
       "Sid": "AllowAllS3ActionsInUserFolder",
       "Action":["s3:*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/${aws:username}/*"]
    }
  ]
}

In the preceding policy, when a user makes a request to AWS, the requester's name replaces the variable. For example, when David makes a request, ${aws:username} resolves to David.

Note: The IAM user can list all prefixes at the parent level, such as DOC-EXAMPLE-BUCKET/. Users can navigate to their home directory in any graphical user interface (GUI) client. If you don't provide the list action at the parent level, then you must use a command line interface to directly access the specific folder.

Related information

AWS Policy Generator

Controlling access to a bucket with user policies

Amazon S3 condition key examples

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English

Related videos

Watch Ajita’s video to learn more (5:59)
Watch Ajita’s video to learn more (5:59)
AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
1 Comment

You can check NirvaShare, it has capabilities to share folders with users from the AWS identity center or from any other identity stores such as ActiveDirectory, etc

NirvaShare
replied 5 months ago

Relevant content