Friday, November 16, 2012

AWS S3: IAM Policy for Accessing S3 Bucket

In AWS S3, if you want to have a user account that is able to read/write to an S3 bucket and nothing else, use the following policy statements.

{
 "Statement": [
   {
     "Sid": "Stmtxxxxxxxxxxxxx",
     "Action": [
       "s3:ListAllMyBuckets"
     ],
     "Effect": "Allow",
     "Resource": [
       "arn:aws:s3:::*"
     ]
   },
   {
      "Sid": "Stmtxxxxxxxxxxxxx",
     "Action": [
       "s3:GetBucketLocation",
       "s3:ListBucket",
       "s3:ListMultipartUploadParts"
     ],
     "Effect": "Allow",
     "Resource": [
       "arn:aws:s3:::bucketname"
     ]
   },
   {
      "Sid": "Stmtxxxxxxxxxxxxx",
     "Action": [
       "s3:AbortMultipartUpload",
       "s3:DeleteObject",
       "s3:DeleteObjectVersion",
       "s3:GetObject",
       "s3:GetObjectAcl",
       "s3:GetObjectVersion",
       "s3:GetObjectVersionAcl",
       "s3:PutObject",
       "s3:PutObjectAcl",
       "s3:PutObjectVersionAcl"
     ],
     "Effect": "Allow",
     "Resource": [
       "arn:aws:s3:::bucketname/*"
     ]
   }
 ]
}
The ListAllMyBuckets permission isn't always needed. But some tools e.g. Cyberduck will have permission problems without it.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)