Advertisements
In this example we will see how to set permissions for a particular user "randeep" for buckets bucket1 and bucket2. The user will not have any access to any other buckets.
This is done by creating/adding a custom policy in the IAM console of the aws.
Creating custom policy in the IAM console of the aws :
We will login to IAM console -> users -> randeepUnder user policies, click on Attach User Policy. Select custom policy and proceed to next.
You will be prompted to give a Policy name and Policy Document. You can give any name. Such as "s3accessrandeep". In the Policy document give the policy as below.
{With the above policy, user randeep will have put(upload),get(download),and delete permissions on the buckets bucket1 and bucket2
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::bucket1","arn:aws:s3:::bucket2"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::bucket1/*", "arn:aws:s3:::bucket2/*"]
}
]
}
You can also test the policy using the Simulate policy tool.
Checking the custom policy with the policy generator:
In the Policy simulator,Select the service as s3.
In the select actions, select GetObject, PutObject, DeleteObject, CreateBucket, and DeleteBucket
In simulation settings,In the resource name format, specify arn:aws:s3:::bucket1/* and run simulation.
With the policy we created we get access allowed for GetObject, PutObject, DeleteObject and denied for CreateBucket, DeleteBucket. Repeat the simulation with the second bucket arn also. Please comment if you have any difficulties regarding this.
No comments:
Post a Comment
Be nice. That's all.