Single S3 Bucket Policy

It requires two different policies to be assigned to the group or user. With this policy setup the user can’t list other buckets.

1st Policy


{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "XXX",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucketname>"
]
}
]
}

2nd Policy


{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "XXX",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*"
]
}
]
}

The only difference between these two policies are the ARN (Resource) Part. The second has the * wildcard.
If you just use the 1st policy then the user can not make any changes inside the bucket but can list the files. If you just use the 2nd policy the user can not login to the bucket at all. That’s why both are required.

If you have discovered an easier way please share at the comments.

Update:

Similar solution at Blog AWS.


{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::test/*"]
}
]
}

Leave a Reply

Your email address will not be published. Required fields are marked *