Wednesday, November 19, 2014

How to restrict Amazon s3 bucket access permissions for a user


Amazon simple storage or s3 is one of the commonly used cloud storage technology. In Amazon s3 we can create buckets as storage locations. Inside each bucket we can create directories or folders and store objects(files,videos etc). In a normal amazon aws account we can create at most 100 buckets. Also we can set permissions for each bucket. We can create IAM users and restrict bucket access to each users. Such as some users will have access to all the buckets, some will have access to only a few buckets, some will have only read or write or both permissions on buckets. We will see how to do it.

In this example we will see how to set permissions for a particular user "randeep" for buckets bucket1 and bucket2. The user will not have any access to any other buckets.

This is done by creating/adding a custom policy in the IAM console of the aws.

Creating custom policy in the IAM console of the aws :

We will login to IAM console -> users -> randeep

Under user policies, click on Attach User Policy. Select custom policy and proceed to next.

You will be prompted to give a Policy name and Policy Document. You can give any name. Such as "s3accessrandeep". In the Policy document give the policy as below.
"Statement": [
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::bucket1","arn:aws:s3:::bucket2"]
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::bucket1/*", "arn:aws:s3:::bucket2/*"]
With the above policy, user randeep will have put(upload),get(download),and delete permissions on the buckets bucket1 and bucket2

You can also test the policy using the Simulate policy tool.

Checking the custom policy with the policy generator:

In the Policy simulator,
Select the service as s3.

In the select actions, select GetObject, PutObject, DeleteObject, CreateBucket, and DeleteBucket

In simulation settings,In the resource name format, specify arn:aws:s3:::bucket1/* and run simulation.
With the policy we created we get access allowed for GetObject, PutObject, DeleteObject and denied for CreateBucket, DeleteBucket. Repeat the simulation with the second bucket arn also. Please comment if you have any difficulties regarding this.

No comments:

Post a Comment

Be nice. That's all.