- Newest
- Most votes
- Most comments
You can use IAM policies attached to roles or users to define permissions. In your case, IAM roles synchronized with AD groups would be central. You can use policy variables to assign permissions dynamically. For instance, you can use ${aws:username} or custom attributes from SAML assertions (when users federate into AWS using an AD identity) as variables in your IAM policies to grant access based on AD group membership. The ${aws:username} variable is used to insert the federated user's username into the policy, and a hypothetical ${aws:groups} variable (you would replace this with the actual name of the SAML attribute you use) is used to ensure the user can only access folders in the bucket that match their AD group names.
Example IAM Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListAllMyBuckets", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "LimitedAccessToSpecificBucket", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::company-bucket", "arn:aws:s3:::company-bucket/${aws:groups}/*" ], "Condition": { "StringLike": { "s3:prefix": [ "${aws:groups}/*", "${aws:groups}" ], "s3:delimiter": [ "/" ] } } } ] }
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
If you want to access S3 objects through filesystem, FSx Lustre would provide POSIX compatible file system access.
https://aws.amazon.com/blogs/aws/enhanced-amazon-s3-integration-for-amazon-fsx-for-lustre/
Relevant content
- asked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 16 days ago
- AWS OFFICIALUpdated 2 months ago