Amazon S3: How to Restrict User Access to Specific Folder or Bucket
Recently, I had a chance to work on Amazon S3 policy creation to restrict the access to specific folder inside the bucket for specific users.
I have seen the below description on Amazon docs:
Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket
This example builds on the previous example that gives Bob a home directory. To give Bob the ability to list the objects in his home directory, he needs access to ListBucket. However, we want the results to include only objects in his home directory, and not everything in the bucket. To restrict his access that way, we use the policy condition key called s3:prefix with the value set to home/bob/*. This means that only objects with a prefix home/bob/* will be returned in the ListBucket response.
{
“Statement”:[{
“Effect”:”Allow”,
“Action”:”s3:ListBucket”,
“Resource”:”arn:aws:s3:::my_corporate_bucket”,
“Condition”:{
“StringLike”:{
“s3:prefix”:”home/bob/*”
}
}
}
]
}
If you applied the above policy, need to enter the exact path to access the files, it won’t list the bucket or folders inside the bucket when you access the account from Amazon web interface or s3ftp tools. But my requirement is to list the buckets and folders but restrict the access to specific folder.
My requirement:
– Create different folders inside the bucket for each client.
– All the client users should get access to the client specific folder only through the Amazon web interface or the s3ftp tools.
What i did is:
– Created different folders for each client inside the bucket.
– Created the groups under “IAM” for each client.
– Created the users and assigned to the client groups.
– Create and assign the policy at the group level.
Policy to restrict the folder access
for example, if you have “folder1”, “folder2” folders under “bucket1”, and wanted to give the “folder1” access to “client1” users and “folder2” access to the “client2” users.
Here is the policy we need to apply to the “client1” user group:
{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::*", "Condition": { "StringLike": { "s3:prefix": "folder2/*" } } } ] }
Policy to apply on “client2” user group:
{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::*", "Condition": { "StringLike": { "s3:prefix": "folder1/*" } } } ] }
In above policies, we added two actions, one will allow all the resources and the other deny the particular folder access.
Policy to restrict the bucket access
If you created the different buckets (bucket1, bucket2), wanted to give the “bucket1” access to “client1” and “bucket2” access to the “client2” then:
Here is the policy to apply on “client1” user group:
{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "NotResource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/*" ] }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/*" ] } ] } }
Policy to apply on “client2” user group:
{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "NotResource": [ "arn:aws:s3:::bucket2", "arn:aws:s3:::bucket2/*" ] }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::bucket2", "arn:aws:s3:::bucket2/*" ] } ] } }
I always enjoy learning what other people think about Amazon Web Services and how they use them. Check out my very own tool CloudBerry Explorer that helps manage S3 on Windows . The latest version comes with a full support for IAM.
Nice Article…
Glad to know how much people like to work with Amazon S3 and its services. I am one of the developer team member of Bucket Explorer Team.My very own tool provides you an easy interface to handle the services on S3, You can set policies as well You can use IAM which help you to manage different kinds of permission you want to assign to the user.You can manage permissions from https://team20.bucketexplorer.com
Thanks and regards
Kirti
I am using Cloud berry PRO licensed version to store data in AWS S3
I have a bucket at which I have assigned the Server side Encryption using bucket policy to restrict users to upload files unless the HTTP header is assigned to
x-amz-server-side-encryption AES256 as shown in the below .
{
“Version”: “2008-10-17”,
“Id”: “HTTPS_Only_Policy”,
“Statement”: [
{
“Sid”: “DenyUnEncryptedObjectUploads”,
“Effect”: “Deny”,
“Principal”: {
“AWS”: “*”
},
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::oct14bucket/*”,
“Condition”: {
“StringNotEquals”: {
“s3:x-amz-server-side-encryption”: “AES256”
}
}
},
{
“Sid”: “Stmt1315993193505”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: “s3:*”,
“Resource”: “arn:aws:s3:::oct14bucket/*”,
“Condition”: {
“Bool”: {
“aws:SecureTransport”: true
}
}
}
]
}
After setting the bucket policy , I am unable to create folders inside the bucket .
And , I have a IAM uploader user who has put permissions to my bucket , and he is unable to upload the same file twice (with same filename).
Is there any reason for the above cases .
hi
could you help me.
i’d like to give everyone of my family a single bucket.
this works with this.
{
“Statement”: [
{
“Action”: [
“s3:ListAllMyBuckets”
],
“Effect”: “Allow”,
“Resource”: “arn:aws:s3:::*”
},
{
“Action”: “s3:*”,
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::family_sister”, “arn:aws:s3:::family_sister/*”]
}
]
}
but, in this way all of them see the other buckets on my s3.
how can i change, that each user see his personal bucket?
I think there is no option to hide some of the folders using policy settings. But what you can do is, hide all the buckets and user has to enter the bucket name to access. see the below policy setting for this:
{
“Statement”: [
{
“Effect”: “Deny”,
“Action”: [
“s3:ListBucket”
],
“NotResource”: [
“arn:aws:s3:::family_sister”,
“arn:aws:s3:::family_sister/*”
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:*”
],
“Resource”: [
“arn:aws:s3:::family_sister”,
“arn:aws:s3:::family_sister/*”
]
}
]
}
Disadvantage of the above approach is that user should know their bucket name
Very Nice article, direct to the point
Thanks 🙂
Chris
Thank you so much it was nice & met to my requirement
Thank you, the solution worked out for me. User1 permission denied to folder2. User2 permission denied to folder1. But I need one solution, Could anyone help out?
User1 should be able to see folder1 & shouldn’t see other folders2, and folder3 when logging in to S3 Bucket.