AWS S3 bucket access control

1
votes

In AWS, I (joe.doe@accountXYZ) created a S3 bucket, thus I am this s3 bucket owner.

I want to configure this S3 bucket based on the IAM role, thus only some IAM roles, such as [role_xyz, role_abc, role_cde], can can read this bucket.

From the AWS console, it seems that I can not configure it.

Can anyone tell me whether it is possible to do that?

========

I understand that from the IAM role side you can configure a policy for this s3 resource. But my question here is on the s3 resource side, whether I can define a access policy based IAM roles.

1
amazon-web-servicesamazon-s3amazon-ec2
How to Restrict Amazon S3 Bucket Access to a Specific IAM Role: aws.amazon.com/blogs/security/…jarmod

1 Answers

2
votes

It appears that your requirement is to permit certain specific roles access to a particular Amazon S3 bucket.

There are two ways to do this:

Option 1: Add permissions to the Role

This is the preferred option. You can add a policy to the IAM Role that grants access to the bucket. It would look similar to:

{
    "Id": "Policy1",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

This is a good method because you just add the policy to the desired Role(s), without having to touch the actual buckets.

Option 2: Add a Bucket Policy

This involves putting the permissions on the bucket, which grants access to a specific role. This is less desirable because you would have to put the policy on every bucket and refer to every Role.

It would look something like:

{
    "Id": "Policy1",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Principal": "arn:aws:iam::123456789012:role/my-role"
        }
    ]
}

Please note that these policies are granting s3:* permissions on the bucket, that might be too wide for your purposes. It is always best to only grant the specific, required permissions rather than granting all permissions.