I want to restrict an AWS Identity and Access Management (IAM) user to access only specific folders in Amazon Simple Storage Service (Amazon S3).
Resolution
If the user and bucket belong to the same AWS account, then use an IAM policy to grant the user access to the bucket folder. If the IAM policy grants access, then you don't need to update the bucket policy.
Note: If the Amazon S3 bucket policy explicitly denies the IAM user access to the folder, then you must update the bucket policy.
If the IAM user and S3 bucket belong to different AWS accounts, then grant access on both the IAM policy and the bucket policy. For more information, see How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?
Single-user policy
The following example IAM policy grants a user named David full access to only his folder (/home/David).
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowStatement1",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowStatement2A",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
"Condition":{"StringEquals":{"s3:prefix":["","home/", "home/David"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowStatement3",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
"Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
},
{
"Sid": "AllowStatement4A",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/David/*"]
}
]
}
The policy includes these statements:
- AllowStatement1: Allows the user to list the buckets that belong to their AWS account. This permission allows the user to navigate to the bucket in the console.
- AllowStatement2A: Allows the user to list the folders within DOC-EXAMPLE-BUCKET. This permission allows the user to navigate to the folder in the console.
- AllowStatement3: Allows the user to list the contents within the DOC-EXAMPLE-BUCKET/home/David folder.
- AllowStatement4A: Allows all actions, such as read, write, and delete permissions, within only the DOC-EXAMPLE-BUCKET/home/David folder.
Multiple-user policy
In some cases, you don't know the exact name of the resource when you write the policy. For example, you want to allow every user to have their own objects in an Amazon S3 bucket. Instead of creating individual policies for each user, use policy variables to create a group policy that applies to multiple users. Policy variables allow you to specify placeholders in a policy. When you make a request to AWS, a value from the request replaces the placeholder when the policy is evaluated.
The following example shows a policy for an Amazon S3 bucket that uses the policy variable ${aws:username}:
Note: This article uses the aws:username key and returns the user's friendly name, such as "Adele" or "David." This value is obtained from the username that you provide when you create the IAM user. In some cases, it's better to use a respective globally unique value. For example, when you use an IAM role, the value of aws:username might not be valid for that IAM entity. For more information, see Principal key values.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
"Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
"Condition":{"StringLike":{"s3:prefix":
[
"home/${aws:username}/*",
"home/${aws:username}"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Action":["s3:*"],
"Effect":"Allow",
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/${aws:username}/*"]
}
]
}
In the preceding policy, when a user makes a request to AWS, the requester's name replaces the variable. For example, when David makes a request, ${aws:username} resolves to David.
Note: The IAM user can list all prefixes at the parent level, such as DOC-EXAMPLE-BUCKET/. Users can navigate to their home directory in any graphical user interface (GUI) client. If you don't provide the list action at the parent level, then you must use a command line interface to directly access the specific folder.
Related information
AWS Policy Generator
Controlling access to a bucket with user policies
Amazon S3 condition key examples