Amazon S3: How to Restrict User Access to Specific Folder or Bucket

Recently, I had a chance to work on Amazon S3 policy creation to restrict the access to specific folder inside the bucket for specific users.

I have seen the below description on Amazon docs:

Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket

This example builds on the previous example that gives Bob a home directory. To give Bob the ability to list the objects in his home directory, he needs access to ListBucket. However, we want the results to include only objects in his home directory, and not everything in the bucket. To restrict his access that way, we use the policy condition key called s3:prefix with the value set to home/bob/*. This means that only objects with a prefix home/bob/* will be returned in the ListBucket response.

{
“Statement”:[{
“Effect”:”Allow”,
“Action”:”s3:ListBucket”,
“Resource”:”arn:aws:s3:::my_corporate_bucket”,
“Condition”:{
“StringLike”:{
“s3:prefix”:”home/bob/*”
}
}
}
]
}

If you applied the above policy, need to enter the exact path to access the files, it won’t list the bucket or folders inside the bucket when you access the account from Amazon web interface or s3ftp tools. But my requirement is to list the buckets and folders but restrict the access to specific folder.

My requirement:
– Create different folders inside the bucket for each client.
– All the client users should get access to the client specific folder only through the Amazon web interface or the s3ftp tools.

What i did is:
– Created different folders for each client inside the bucket.
– Created the groups under “IAM” for each client.
– Created the users and assigned to the client groups.
– Create and assign the policy at the group level.

Policy to restrict the folder access

for example, if you have “folder1”, “folder2” folders under “bucket1”, and wanted to give the “folder1” access to “client1” users and “folder2” access to the “client2” users.

Here is the policy we need to apply to the “client1” user group:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::*",
      "Condition": {
        "StringLike": {
          "s3:prefix": "folder2/*"
        }
      }
    }
  ]
}

Policy to apply on “client2” user group:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::*",
      "Condition": {
        "StringLike": {
          "s3:prefix": "folder1/*"
        }
      }
    }
  ]
}

In above policies, we added two actions, one will allow all the resources and the other deny the particular folder access.

Policy to restrict the bucket access

If you created the different buckets (bucket1, bucket2), wanted to give the “bucket1” access to “client1” and “bucket2” access to the “client2” then:

Here is the policy to apply on “client1” user group:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "s3:ListBucket"
      ],
      "NotResource": [
        "arn:aws:s3:::bucket1",
        "arn:aws:s3:::bucket1/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::bucket1",
        "arn:aws:s3:::bucket1/*"
      ]
    }
  ]
}
}

Policy to apply on “client2” user group:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "s3:ListBucket"
      ],
      "NotResource": [
        "arn:aws:s3:::bucket2",
        "arn:aws:s3:::bucket2/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::bucket2",
        "arn:aws:s3:::bucket2/*"
      ]
    }
  ]
}
}
Tags:,
9 Comments

Add a Comment

Your email address will not be published. Required fields are marked *