A Guide to Granting Access to User-Specific Folders in Amazon S3 – Part 1

Overview

Amazon Web Services Identity and Access Management (AWS IAM) is a crucial component of AWS, offering a robust solution for securely managing access to AWS services and resources.

In conjunction with AWS IAM, Amazon Simple Storage Service (Amazon S3) provides scalable and durable object storage in the cloud.

As a key component of AWS, Amazon S3 allows users to store and retrieve any amount of data while benefiting from a highly available and secure infrastructure. Integrating AWS IAM with Amazon S3 ensures a comprehensive approach to security, granting precise control over access to Amazon S3 buckets and objects, safeguarding sensitive data, and enhancing overall data management in the AWS cloud.

Introduction

In this article, we’ll look at what folders are and how you can restrict access to them using Amazon S3 policies. By controlling permissions appropriately, the goal is to give federated users complete access to their files and complete access to none of the other folders.

Let’s assume we have three developers on our team: Kumar, Mark, and Guru. They should only be able to access their folders, as each has a distinct folder in a shared Amazon S3 bucket. AWS IAM Identity Center, the replacement for AWS Single Sign-On, is used to authenticate these users.

Step-by-Step Guide

Step 1 – In this post, we’ll be focusing on Mark. We’ll review the steps you’ll need to take to set up those permissions for Mark with AWS IAM Identity Center (IAM) and Amazon S3 (S3). Let’s start with what folders are in Amazon S3 because it isn’t as simple as it seems. To understand how to create a folder-level policy, we’re going to walk through a scenario that’s like what many of us have seen on existing file shares:

Each AWS IAM Identity Center,  AWS IAM user only has access to their home folder. Folder-level permissions allow you to manage who has access to what objects in a bucket granularly.

You will be presented with a policy that allows AWS Identity and Access Management (IAM) Identity Center (IAM) users to use the same Amazon S3 bucket to store their data. The AWS Management Console (WMS) policy allows AWS IAM users within the company to download or upload files from the folder of their department but not from the folder of any other department in the bucket.

After discussing policies, learn how to create individual policies for each AWS IAM Identity Center user.

The rest of this post uses a policy that maps to his AWS IAM Identity Center Mark. You must also have already created an Amazon S3 bucket.

Note: We need to update the bucket name to a unique name because Amazon S3 buckets have a global namespace.

For now, we’ll use an Amazon S3 bucket that has the following structure (‘my-new-company-123456789’ is the example bucket name for the rest of the blog):

Now, the structure of our Amazon S3 bucket should include two directories, ‘home’ and ‘confidential’, with a file named ‘root-file.txt’ in the main bucket directory. Inside confidential, we have no items or folders. Inside the home directory, we have three sub-folders: Kumar, Mark, and Guru.

Step 2 – A Quick Overview of Amazon S3 Items

Reviewing Amazon S3 object naming conventions before delving into the policy is vital. This blog will help you understand how the policy works despite being incomplete. Proceed directly to Identity Center’s “Creating Mark” if you are familiar with Amazon S3 objects and prefixes.

When you create a bucket on Amazon S3, it holds objects, storing data in a flat format. The Amazon S3 cloud lacks a sub-bucket or folder structure; however, tools like the console may simulate a bucket hierarchy and display folders by utilizing object names or keys. When we create a folder, Amazon S3 creates a 0-byte object whose key references the folder name you supply. E.g., If we create a folder named ‘photos’ in the bucket, then the Amazon S3 bucket console creates a 0-byte object with the key ‘photos/’. The console does this to support the idea of folders. The Amazon S3 console views as a folder any object with a forward slash (/) as the final (trailing) character in the key name. (e.g., examplekeyname/).

Step 3 – Establishing ‘Mark’ within Identity Center

We can centrally manage access across AWS accounts and applications and securely create or connect employee identities with the aid of the AWS IAM Identity Center. Organizations of all sizes and types are advised to use the Identity Center on AWS for employee authentication and authorization. We can connect the existing identity source, such as Microsoft Active Directory, Okta, Ping Identity, JumpCloud, Google Workspace, and Azure Active Directory (Azure AD), or use Identity Center to create and manage user identities in AWS.

First, configure “Mark” as an AWS IAM Identity Center user. Create a user by opening the AWS Management Console, selecting AWS IAM Identity Center, and starting the process.

Note: The following steps apply to identity centers that don’t have a cross-domain identity management (SCIM) system enabled. If SCIM is enabled, the Add User option is not available.

Step 4 –

1. Now, from the left panel of the ‘Identity Center console’, select Users, and then you must choose Add User.

2. Next, enter “Mark” as the username, followed by the user’s first, last, and display names, as well as their email address that you can access to confirm who they are.

3. Rest can be left as default, and choose Add user.

4. Now, select the Users from the left panel and verify that you have created the user ‘Mark’.

5. So, now that we have verified that the user ‘Mark’ is created and available. Then, use the left panel to navigate to the permission sets. Now, we need to “Create permission set”.

6. Then, select ‘Custom permission’ set as the user ‘Permission set type’, and choose

Let’s start by adding “Mark” as a user to the AWS IAM Identity Center. First, launch the AWS Management Console, navigate to the AWS IAM Identity Center, and establish a user.

Conclusion

In this first part of this blog, we have understood the setup of permission for one specific user. Amazon S3 bucket allows us to privilege the right user to have the right access to what they need. In the second part of the blog, we will be deep diving into the “Permission Sets”, “Access Control” & “Policy Variables”.

Click here to check on Part 2.

Drop a query if you have any questions regarding Amazon S3 and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.