Voiced by Amazon Polly |
Every organization has an information storage platform where many employees will be accessing various files stored in the AWS S3 service in the organization’s account. Sometimes, your organization wants to limit access to the S3 buckets from a particular IAM user. It can be done by adding a custom policy on IAM users without changing any bucket-level policies.
If you are new to Identity and Access Management, here is a blog to understand the 8 Best Practices of Identity and Access Management (IAM).
Consider this scenario:
As an AWS account admin/root user, you want to provide access to your web developer to a particular folder on your primary S3 bucket, and is the safest way. The developer can only access a specific folder written in the custom policy, and the rest of the folders are restricted access. This method is safe from any data changes in all other folders.
In this blog, I will show and explain the policy, which will be associated with an IAM user named Shahid. Also, I have already created a bucket named CloudThat with the following structure:
1 2 3 4 5 |
/CloudThat/Developer-files /CloudThat/client-files /CloudThat/infra-files |
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
Policy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
{ "Version": "2021-12-06", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "AllowRootAndHomeListingOfCloudthatBucket", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::CloudThat" ], "Condition": { "StringEquals": { "s3:prefix": [ "", "Developer-files/", "Developer-files/shahid-files/" ], "s3:delimiter": [ "/" ] } } }, { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::CloudThat" ], "Condition": { "StringLike": { "s3:prefix": [ " Developer-files/shahid-files/*" ] } } }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::CloudThat/Developer-files/shahid-files/*" ] } ] } |
A brief explanation of each block:
Block 1:
The IAM user cannot view or access any S3 bucket or folders without this PERMISSION. Enable two permissions one is ListAllMyBuckets and next GetBucketLocation. These two permissions allowed the IAM user to view all the s3 buckets available in the account and view their Location.
Even the IAM user can list and view all buckets in the AWS account, but he cannot access all buckets. It depends on the other blocks.
Block 2:
Allow listing objects in the main bucket and selected folder/s.
In this block, we selected the resource as the bucket name, Cloudthat where the folder we want to give access to this IAM user. So, this user can list all the folders inside this bucket.
The condition is defined with prefix and delimiter. This is required to give access to subfolders in the S3 bucket.
Block 3:
Allow listing objects in that folder.
Block 4:
Allow all AWS S3 actions in that folder.
It is done!!!
Try to access it now. This user will get access denied for all buckets and folders except the selected folder.
Conclusion:
We have learned to write an IAM policy to manage S3 access to users, such as S3 access to only one S3 bucket and a folder level access within the S3 bucket.
There are many other IAM policy types, such as Identity-based policies, Access Control Lists (ACLs), permission boundaries, and sessions policies. Stay tuned on this platform to know more about IAM policy, and how to use them efficiently in the upcoming blogs.
If you have any queries about the topics discussed, drop a comment, and I will get back to you quickly.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
WRITTEN BY Md Shahid Afridi P
Rishi Raj
Jan 25, 2022
Nice Piece Of Information
vishnu vardhan
Jan 27, 2023
Hi Rishi Raj
arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FOLDER1]/[MY FOLDER2]/[MY_FILE].txt
I need json script for above one(folder in side the folder and folder)
Please share me the same.