How to set up S3 policies for multiple IAM users so each has access only to their personal bucket folder

0 votes

I have two users User1 and User2 that each have an IAM account in AWS. I have an s3 bucket "external_bucket.mybucket.com". In that bucket is a folder for each user account "User1" and "User2". I want to grant Read/Write access to User1 to the access User1 folder only and R/W access to User2 to the access User2 folder only. I don't want them to be able to see each others' folders in the root directory of external_bucket.mybucket.com. Is there a way to set up their IAM Policies such that this is possible?

My goal is to enable our users to connect to the S3 bucket from an S3 browser app like cloudberry so they can upload and download files to their folders only.

Any kind of advice for the best design for this is welcome.

Aug 14, 2018 in AWS by datageek
 • 2,540 points 3,294 views

1 answer to this question.

0 votes

Something like this should work to allow User1 to only access User1's folder:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::user1/*"]
   }
 ]
}

I have taken the above piece of code from this article - Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket

Apply that as User1's policy, and then only User1 should be able to access the user1/ folder.If you substitute User2 for User1 in User2's policy, User2 should only be able to access the user2/folder.

I hope this was helpful.

answered Aug 14, 2018 by Deepthi
 • 300 points
Is it possible to allow access to common folder in root directory for the two users ?
commented Nov 24, 2020 by Vincy

Hi@Vincy,

Are you trying to say that an S3 bucket has two users? Can you explain your query a little bit more? So that we can help you as soon as possible.

commented Nov 24, 2020 by MD
 • 95,460 points

Related Questions In AWS

+1 vote
1 answer

download failed: s3://bucketnad/bucket.txt to .\bucket.txt [WinError 5] Access is denied: 'C:\\Users\\NADIM AKTHAR\\Desktop\\New folder\\bucket.txt'

Hi@akhtar, You may get this error if you ...READ MORE

answered Jun 8, 2020 in AWS by MD
 • 95,460 points 3,276 views
+1 vote
3 answers

How to get ARN for s3 Bucket using aws cli .

An ARN is a non-opaque, constructible identifier, ...READ MORE

answered Aug 16, 2018 in AWS by Priyaj
 • 58,020 points 5,645 views
0 votes
1 answer

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

Setting up a SPF record is pretty ...READ MORE

answered Aug 16, 2018 in AWS by Archana
 • 4,170 points 1,642 views
0 votes
1 answer

How to change AWS S3 Bucket policies?

Here is the JSON file I used ...READ MORE

answered Nov 16, 2018 in AWS by Jino
 • 5,820 points 2,683 views
+6 votes
1 answer

Web UI (Dashboard): https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

Hey @nmentityvibes, you seem to be using ...READ MORE

answered Dec 13, 2018 in Kubernetes by Kalgi
 • 52,350 points 7,933 views
+4 votes
1 answer

How do I go from development docker-compose.yml to deployed docker-compose.yml in AWS

It can work if you try to put ...READ MORE

answered Jun 7, 2018 in AWS by Cloud gunner
 • 4,670 points 5,335 views
+15 votes
2 answers

Git management technique when there are multiple customers and need multiple customization?

Consider this - In 'extended' Git-Flow, (Git-Multi-Flow, ...READ MORE

answered Mar 27, 2018 in DevOps & Agile by DragonLord999
 • 8,450 points 4,034 views
+1 vote
2 answers

AWS CloudWatch Logs in Docker

The awslogs works without using ECS. you need to configure ...READ MORE

answered Sep 7, 2018 in AWS by bug_seeker
 • 15,510 points 2,032 views
0 votes
2 answers

How to access files in S3 bucket from R?

You can take a look at the ...READ MORE

answered Aug 10, 2018 in AWS by Deepthi
 • 300 points 6,617 views
0 votes
1 answer

Push Notification not sent by Amazon SNS to IOS application.

If the SNS endpoint is disabled after ...READ MORE

answered Aug 14, 2018 in AWS by Deepthi
 • 300 points 5,322 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.