1

I have an Amazon Web Services S3 bucket I want to use with the android data syncing app 'FolderSync'.

Towards that I want to set limited perms on the bucket for a new user.

Within the AWS management console I can create the user but the only S3 related permissions I can find to assign to that user are :

  • AmazonS3FullAccess ("Provides full access to all buckets via the AWS Management Console.")
  • AmazonS3ReadOnlyAccess ("Provides read only access to all buckets via the AWS Management Console.")

Neither of which sound like what I want (I don't want access via the console for this user and I don't want it for 'all buckets').

If I don't set any permissions for this user I get a warning message but otherwise I am able to complete the user creation however when I then go to the buckets to assign rights to that user the new user doesn't appear in the dropdown list (as shown below).

enter image description here

There must be a way to do this - can anybody help ?

glaucon
  • 253
  • 1
  • 6
  • 16

2 Answers2

0

The grantee can be an AWS account or one of the predefined Amazon S3 groups. For your case, it is recommended to combine S3 policy and IAM policy for the purpose of hardening your assets security. So, granting a user access to a specific s3 bucket should be done as follows:

1- Go to S3 service, select you bucket and edit permission: create a custom policy like follows:

{
"Version": "2012-10-17",
"Id": "S3-Account-Permissions",
"Statement": [{
  "Sid": "1",
  "Effect": "Allow",
  "Principal": {"AWS": [{"AWS":"arn:aws:iam::account-number-without-hyphens:user/username"]},
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::mybucket",
    "arn:aws:s3:::mybucket/*"
  ]
}]
}

2- Navigate to IAM service and create a custom policy. Here is how the policy should look like:

{
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Action": [
    "s3:*"
  ],
  "Resource": "arn:aws:s3:::mybucket/",
  "Resource": "arn:aws:s3:::mybucket/*"
}
]
}

3- Attach the newly created policy to your user

Alaa Chatti
  • 406
  • 2
  • 6
0

The policy offered in another comment will not allow to list buckets nor on S3 console, nor any other apps that can show files in buckets. This is an IAM policy allows to allow a user accessing only one specified bucket and restricts everything else.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket",
                "arn:aws:s3:::bucket/*",
            ]
        },
        {
            "Effect": "Deny",
            "NotAction": "s3:*",
            "NotResource": [
                "arn:aws:s3:::bucket",
                "arn:aws:s3:::bucket/*"
            ]
        }
}
Anton Zorin
  • 180
  • 8