AWS S3 Read-Write IAM Policy for specific User
In this AWS S3 Read-Write IAM Policy tutorial we will talk about how to create and manage AWS IAM Policies for specific AWS S3 Buckets, policies that can be easily applied to any user or user group within IAM having Read and Write permissions only. We all know that AWS S3 is a really great storage service but used in conjunction with IAM this can become a very powerful tool giving us the freedom and the also the ability to fine tune all necessary permissions in such a way to only allow specific user or user group to only read or write without exposing our entire content to the internet. Shortly similar tutorials will be posted covering the same topic but this time using a few other cloud providers like GCP, Azure and also Alibaba Cloud.
Table of contents
Scenario
AWS S3 Full Access Policy
AWS S3 Read-Write IAM Policy
AWS S3 Read-Write IAM Policy for multiple S3 Buckets
Scenario
Assuming that we have a new exciting project where one of the requirements is asking about setting up an S3 Read-Write IAM policy for a specific user or user group to some particular S3 Buckets.
We have everything in place like a new IAM user or service account that has Programmatic Access (CLI / API ) to our AWS Account Resources, Access Key and Secret Access Key active, aws cli bundle package installed and configured onto our local or remote machine.
We will need to create a new AWS S3 bucket that will be named for example s3-bucket-rw
having ARN arn:aws:s3:::s3-bucket-rw
which will be used for our AWS S3 Read-Write IAM Policy.
AWS IAM Read-Write S3 Policy
Using AWS Web Console let’s create a new IAM Policy from the scratch called s3-bucket-rw-policy
, this policy will allow us to not only Read but also Write and Delete files on our s3-bucket-rw
S3 Bucket. Our new IAM Policy will have four main actions enabled like s3:ListBucket
, s3:GetObject*
, s3:PutObject*
and s3:DeleteObject*
. The s3-bucket-rw-policy
IAM Policy will contain the next lines:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyReadWriteBucketPolicyV1",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject*",
"s3:PutObject*",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::s3-bucket-rw",
"arn:aws:s3:::s3-bucket-rw/*"
]
}
]
}
Wen can now validate and save this s3-bucket-rw-policy
policy and attach it to our specific user or user group.
Assuming that a text file called MyReadWriteFile.txt
has been already created onto our local or remote machine lets try to upload it to our s3-bucket-rw
S3 Bucket using aws cli like shown in the example below:
aws s3 cp MyReadWriteFile.txt s3://s3-bucket-rw/
If our s3-bucket-rw-policy
has been validated, saved and attached we should get a similar output like the one listed below:
upload: ./MyReadWriteFile.txt to s3://s3-bucket-rw/MyReadWriteFile.txt
This means that our policy is valid and works as expected, our file has been successfully uploaded.
We can double check and confirm this by listing the content on our S3 bucket:
aws s3 ls s3://s3-bucket-rw/
A successful output will show us MyReadWriteFile.txt
:
2019-07-23 12:43:04 0 MyReadWriteFile.txt
What about removing the file? We’ve been able to upload and list our MyReadWriteFile.txt
file but now lets see if we can delete it as per our custom policy:
aws s3 rm s3://s3-bucket-rw/MyReadWriteFile.txt
Once again, if our custom policy is correct we should get on our terminal window something like this:
delete: s3://s3-bucket-rw/MyReadWriteFile.txt
We are now done, we have proved that our policy allows us to upload, read and delete files from s3-bucket-rw
S3 bucket.
AWS IAM Read-Write S3 Policy for multiple Buckets
The above Read-Write IAM policy can be extended quite easy to include multiple S3 buckets. Let’s create a new policy called s3-multibucket-rw-policy
having the next lines:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyReadWriteMultiBucketPolicyV1",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject*",
"s3:PutObject*",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::s3-bucket-rw_first",
"arn:aws:s3:::s3-bucket-rw_second",
"arn:aws:s3:::s3-bucket-rw_first/*",
"arn:aws:s3:::s3-bucket-rw_second/*"
]
}
]
}
As you can see the Action
field of our s3-multibucket-rw-policy
policy is exactly the same as s3-bucket-rw-policy
IAM policy, only Resource
field has been changed having now listed multiple S3 buckets in it.