In this hands-on lab, we will explore how to create an AWS Identity and Access Management (IAM) policy to grant IAM users access to specific folders within an Amazon S3 bucket. We’ll follow a scenario similar to a common use case where each user should have access to their own home folder while being restricted from accessing other users’ folders within the same bucket.
Prerequisites
- An AWS account with administrative access.
- Basic familiarity with AWS IAM concepts and the AWS Management Console.
Lab Scenario
Imagine you have a bucket named “my-company” in Amazon S3 with the following structure:
/home/Rose//home/Bob//home/Andy//restricted//root-file.txt
Your goal is to create an IAM policy for an IAM user named Andy. This policy will grant Andy full console access to only his folder (/home/Andy) and restrict access to other folders within the “my-company” bucket.
Lab Steps
Step 1: Allow Required Amazon S3 Console Permissions
Before specifying folder-level permissions, we must grant Andy two permissions required for Amazon S3 console access: ListAllMyBuckets and GetBucketLocation. These permissions enable David to navigate the S3 console.
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
}
Step 2: Allow Listing Objects in Root and Home Folders
Andy needs permissions to list objects at the root level of the “my-company” bucket and in the /home/ folder to navigate the Amazon S3 console effectively.
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition": {
"StringEquals": {
"s3:prefix": ["", "home/", "home/Andy"],
"s3:delimiter": ["/"]
}
}
}
Step 3: Allow Listing Objects in David’s Folder
In addition to the root and home folders, David needs access to all objects in his /home/David/ folder and any subfolders he may create.
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition": {
"StringLike": {
"s3:prefix": ["home/Andy/*"]
}
}
}
Step 4: Allow All Amazon S3 Actions in Andy’s Folder
Finally, we specify Andy’s actions (e.g., read, write, delete) and limit them to just his home folder (/home/Andy/).
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::my-company/home/Andy/*"]
}
Conclusion
Congratulations! You’ve successfully created an IAM policy for Andy that grants him console access to only his folder in the “my-company” bucket while restricting access to other folders. With this policy in place, David can efficiently manage his objects in Amazon S3 without the risk of unauthorized access.
By understanding IAM policies and utilizing policy variables, you can easily adapt this policy to other IAM users, allowing multiple users to share a single bucket with folder-level permissions.
Remember that IAM policies provide fine-grained control over access to AWS resources, making them a powerful tool for securing your cloud environment.