AWS S3 Read-Write IAM Policy for specific User

 
 

In this AWS S3 Read-Write IAM Policy tutorial we will talk about how to create and manage AWS IAM Policies for specific AWS S3 Buckets, policies that can be easily applied to any user or user group within IAM having Read and Write permissions only. We all know that AWS S3 is a really great storage service but used in conjunction with IAM this can become a very powerful tool giving us the freedom and the also the ability to fine tune all necessary permissions in such a way to only allow specific user or user group to only read or write without exposing our entire content to the internet. Shortly similar tutorials will be posted covering the same topic but this time using a few other cloud providers like GCP, Azure and also Alibaba Cloud.

Table of contents

Scenario
AWS S3 Full Access Policy
AWS S3 Read-Write IAM Policy
AWS S3 Read-Write IAM Policy for multiple S3 Buckets

Scenario

Assuming that we have a new exciting project where one of the requirements is asking about setting up an S3 Read-Write IAM policy for a specific user or user group to some particular S3 Buckets.

We have everything in place like a new IAM user or service account that has Programmatic Access (CLI / API ) to our AWS Account Resources, Access Key and Secret Access Key active, aws cli bundle package installed and configured onto our local or remote machine.

We will need to create a new AWS S3 bucket that will be named for example s3-bucket-rw having ARN arn:aws:s3:::s3-bucket-rw which will be used for our AWS S3 Read-Write IAM Policy.

AWS IAM Read-Write S3 Policy

Using AWS Web Console let’s create a new IAM Policy from the scratch called s3-bucket-rw-policy, this policy will allow us to not only Read but also Write and Delete files on our s3-bucket-rw S3 Bucket. Our new IAM Policy will have four main actions enabled like s3:ListBucket, s3:GetObject*, s3:PutObject* and s3:DeleteObject*. The s3-bucket-rw-policy IAM Policy will contain the next lines:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyReadWriteBucketPolicyV1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*",
                "s3:PutObject*",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-rw",
                "arn:aws:s3:::s3-bucket-rw/*"
            ]
        }
    ]
}

Wen can now validate and save this s3-bucket-rw-policy policy and attach it to our specific user or user group.

Assuming that a text file called MyReadWriteFile.txt has been already created onto our local or remote machine lets try to upload it to our s3-bucket-rw S3 Bucket using aws cli like shown in the example below:

aws s3 cp MyReadWriteFile.txt s3://s3-bucket-rw/

If our s3-bucket-rw-policy has been validated, saved and attached we should get a similar output like the one listed below:

upload: ./MyReadWriteFile.txt to s3://s3-bucket-rw/MyReadWriteFile.txt

This means that our policy is valid and works as expected, our file has been successfully uploaded.

We can double check and confirm this by listing the content on our S3 bucket:

aws s3 ls s3://s3-bucket-rw/

A successful output will show us MyReadWriteFile.txt:

2019-07-23 12:43:04          0 MyReadWriteFile.txt

What about removing the file? We’ve been able to upload and list our MyReadWriteFile.txt file but now lets see if we can delete it as per our custom policy:

aws s3 rm s3://s3-bucket-rw/MyReadWriteFile.txt

Once again, if our custom policy is correct we should get on our terminal window something like this:

delete: s3://s3-bucket-rw/MyReadWriteFile.txt

We are now done, we have proved that our policy allows us to upload, read and delete files from s3-bucket-rw S3 bucket.

AWS IAM Read-Write S3 Policy for multiple Buckets

The above Read-Write IAM policy can be extended quite easy to include multiple S3 buckets. Let’s create a new policy called s3-multibucket-rw-policy having the next lines:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyReadWriteMultiBucketPolicyV1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*",
                "s3:PutObject*",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-rw_first",
                "arn:aws:s3:::s3-bucket-rw_second",
                "arn:aws:s3:::s3-bucket-rw_first/*",
                "arn:aws:s3:::s3-bucket-rw_second/*"
            ]
        }
    ]
}

As you can see the Action field of our s3-multibucket-rw-policy policy is exactly the same as s3-bucket-rw-policy IAM policy, only Resource field has been changed having now listed multiple S3 buckets in it.

Video

No video posted for this page.

Screenshots

No screenshots posted for this page.

Source code

No code posted for this page.

About this page

Article
AWS S3 Read-Write IAM Policy for specific User
Author
Category
AWS
Published
09/08/2019
Updated
12/08/2019
Tags
aws iam read-write s3

Share this page

If you found this page useful please share it with your friends or colleagues.