Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I grant a user access to a specific folder in my Amazon S3 bucket?

5 minute read
1

I want to restrict an AWS Identity and Access Management (IAM) user to access only specific folders in Amazon Simple Storage Service (Amazon S3).

Resolution

If the IAM user and bucket belong to the same AWS account, then use an IAM policy to grant the user access to the bucket folder. When you grant access in the IAM policy, you don't need to update the bucket policy. However, if the bucket policy explicitly denies the IAM user access to the folder, then you must update the bucket policy.

If the IAM user and S3 bucket belong to different accounts, then grant access in both the IAM policy and the bucket policy. For more information, see How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?

You can grant access to either single or multiple users in the IAM policy. For multiple users, the policy can include groups or an AWS IAM Identity Center ID.

Grant access to a single user

To grant access to a single user for only their folder, create an IAM policy.

Example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowStatement1",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowStatement2A",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "home/",
            "home/David"
          ],
          "s3:delimiter": [
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowStatement3",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "home/David/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowStatement4A",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/David/*"
      ]
    }
  ]
}

Note: Replace DOC-EXAMPLE-BUCKET with the name of your bucket.

In your policy, you can include statements such as the following:

  • Use AllowStatement1 to allow the user to list the buckets that belong to their account and navigate to the bucket on the console.
  • Use AllowStatement2A to allow the user to list the folders in DOC-EXAMPLE-BUCKET and navigate to the folder on the console.
  • Use AllowStatement3 to allow the user to list the contents in the DOC-EXAMPLE-BUCKET/home/Username folder.
  • Use AllowStatement4A to allow all actions, such as read, write, and delete permissions, in only the DOC-EXAMPLE-BUCKET/home/Username folder.

Use a group policy to grant access to multiple users

Use policy variables to create a group policy for multiple users.

Example bucket policy that uses the ${aws:username} policy variable:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "home/"
          ],
          "s3:delimiter": [
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "home/${aws:username}/*",
            "home/${aws:username}"
          ]
        }
      }
    },
    {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/${aws:username}/*"
      ]
    }
  ]
}

Note: Replace DOC-EXAMPLE-BUCKET with the name of your bucket.

The preceding policy uses the aws:username key and returns the user's friendly name, such as "Adele" or "David." You can also use a unique ID when the aws:username value might not be valid for a specific IAM role. For more information, see Principal key values.

The IAM users can list all prefixes at the parent level, such as DOC-EXAMPLE-BUCKET/. Users can also navigate to their home directory in any graphical user interface (GUI) client. If you don't provide the List action at the parent level, then you must use a command line interface to access the specified folder.

Use AWS IAM Identity Center to grant access to multiple users

You can control access to an S3 bucket folder based on the AWS IAM Identity Center principal. Each user in the IAM Identity Center directory has a unique user ID. Use the ${identitystore:UserId} policy variable for each user who you want to restrict folder access to.

When you create the S3 folder, use a folder name that corresponds to the ID of the user in the IAM Identity Center directory. For example, user John has a unique user ID of 1111111111-2a2aaa222-bb33-4444-5555-5cc5555c555c. To manage John, create a folder for John in the S3 bucket with the name /home/1111111111-2a2aaa222-bb33-4444-5555-5cc5555c555c. To find the user IDs for your users, navigate to each user on the IAM Identity Center console, or use the DescribeUser API.

The following example IAM policy uses the ${identitystore:UserId} variable:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "home/"
          ],
          "s3:delimiter": [
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "home/${identitystore:UserId}/*",
            "home/${identitystore:UserId}"
          ]
        }
      }
    },
    {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/${identitystore:UserId}/*"
      ]
    }
  ]
}

Note: Replace DOC-EXAMPLE-BUCKET with the name of your bucket.

Related information

Controlling access to a bucket with user policies

Examples: Amazon S3 condition keys for bucket operations

IAM policy testing with the IAM policy simulator

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English

Related videos

Watch Ajita's video to learn more (5:59)
Watch Ajita's video to learn more (5:59)
AWS OFFICIALUpdated 2 months ago
1 Comment

You can check NirvaShare, it has capabilities to share folders with users from the AWS identity center or from any other identity stores such as ActiveDirectory, etc

replied 3 years ago

Relevant content