AWS S3 Read-Only IAM Policy for specific User

 
 

In this short tutorial called AWS S3 Read-Only IAM Policy for specific User or User Group we will be guiding you how to create and manage AWS IAM Policies for specific AWS S3 Buckets, these policies can be later applied to any IAM Users or IAM User Groups having just Read-Only permissions. AWS S3 is a great storage service but managed in conjunction with AWS IAM can become a very powerful tool giving us the freedom and the amazing ability to tweak all needed permissions in such a way to only allow specific users or user groups to only read or write without exposing our entire content to the internet. No worries, shortly similar tutorials will be published covering the same topic but using different cloud providers like GCP, Azure and AlibabaCloud, just do a search now and check if isn’t already published.

Table of contents

Scenario
AWS S3 Full Access IAM Policy
AWS S3 Read-Only IAM Policy
AWS S3 Read-Only IAM Policy for multiple S3 Buckets

Scenario

Let’s assume that we have a new great project and one of the requirements is about setting up IAM policies like Read-Only for a specific user or user group to some particular S3 Buckets.

We have already created a new IAM user that it has Programmatic Access (CLI / API ) to our AWS Account Resources, Access Key and Secret Access Key active, aws cli bundle package is installed and properly configured onto our local or remote machine that will be used to access our S3 Read-Only bucket.

A new AWS S3 bucket will be created for this tutorial that should be called s3-bucket-ro having the ARN arn:aws:s3:::s3-bucket-ro which will be used for our AWS IAM S3 Read-Only Policy.

AWS S3 Full Access IAM Policy

We are all very familiar with the policy shown below, this is the default policy called AmazonS3FullAccess which gives us full control against all our S3 resources that we may have under our AWS account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

We can’t say that it is not a good or correct policy but simply we can’t use that, is not advisable and we may even say that is a very bad habit and also a very dangerous policy to be used for any purposes except maybe for development, even so we may risk to lose everything in one go as long we have full access to all our S3 resources and we don’t want that.

AWS S3 Read-Only IAM Policy

On our first step with this tutorial we will create a new IAM Policy named s3-bucket-ro-policy that will allow a specific IAM User or IAM User Group to only List and Read the content of a specific AWS S3 Bucket, in this particular case the content of newly created s3-bucket-ro bucket.

So let’s get back to our AWS Web Console and create a new Policy within IAM called s3-bucket-ro-policy using the code shown below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyReadOnlyBucketPolicyV1",
            "Effect": "Allow",
            "Action": [
		"s3:ListBucket",
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-ro",
                "arn:aws:s3:::s3-bucket-ro/*"
            ]
        }
    ]
}

Assuming that we have previously uploaded a text file called MyReadOnlyFile.txt on our s3-bucket-ro S3 bucket let’s try to list the content of this bucket by using the next CLI command:

aws s3 ls s3://s3-bucket-ro

A successful output should look similar to this:

2019-07-23 11:35:31          0 MyReadOnlyFile.txt

Let’s try now to download (get) this MyReadOnlyFile.txt file locally using the next AWS CLI command on our terminal window:

aws s3 cp s3://s3-bucket-ro/MyReadOnlyFile.txt .

Once again a successful output will look like this:

download: s3://s3-bucket-ro/MyReadOnlyFile.txt to ./MyReadOnlyFile.txt

We can easily confirm if the downloaded file is present on our local or remote machine by using list command:

ls

If the file is present then we can say that our s3-bucket-ro-policy policy works as expected:

MyReadOnlyFile.txt

Now we can safely attach this s3-bucket-ro-policy IAM policy to a particular user within IAM or even to a user group knowing that the only resource that it has access to is s3-bucket-ro S3 bucket.

AWS S3 Read-Only IAM Policy for multiple S3 Buckets

By simply amending the previous IAM Policy, s3-bucket-ro-policy we can go further and expand the range of Read-Only S3 buckets by changing Resource field content like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyReadOnlyMultiBucketPolicyV1",
            "Effect": "Allow",
            "Action": [
		"s3:ListBucket",
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-ro_1st",
                "arn:aws:s3:::s3-bucket-ro_2nd",
                "arn:aws:s3:::s3-bucket-ro_3rd",
                "arn:aws:s3:::s3-bucket-ro_1st/*",
                "arn:aws:s3:::s3-bucket-ro_2nd/*",
                "arn:aws:s3:::s3-bucket-ro_3rd/*"
            ]
        }
    ]
}

Video

No video posted for this page.

Screenshots

No screenshots posted for this page.

Source code

No code posted for this page.

About this page

Article
AWS S3 Read-Only IAM Policy for specific User
Author
Category
AWS
Published
23/07/2019
Updated
10/08/2019
Tags
aws iam read-only s3

Share this page

If you found this page useful please share it with your friends or colleagues.