Basic AWS IAM permissions for an S3 bucket

9
votes

I'm trying to figure out a basic permission set for an IAM user/key to have to have access to only a single bucket in S3 - only read/write access on an individual bucket.

What set of permissions is the minimum required to make this work? I have all options selected in the IAM policy generator for S3, all permissions enabled on the bucket except CreateBucket and DeleteBucket. I've also created a set of keys specific to this user.

When I try to access the bucket with these credentials, I get a problem listing buckets, even though the ListAllMyBuckets property is enabled.

Anyone have any experience setting up a basic bucket config like this? Seems like it would be pretty common...

2
ruby-on-railspermissionsamazon-s3amazon-web-services
Why do you want to list buckets in the first place, when the IAM user is only supposed to access a single bucket in S3?Steffen Opel
If you don't record the bucket name the user has access to, then ListAllMyBuckets is OK - then code can figure out which buckets the user can actually go into. This depends on 'how private' you want the bucket names to be. But since bucket names are basically in the public domain (you can ping amazon to find out if any bucket name is in use), only 'random string' bucket names are anywhere close to private, and even this is fleeting, as bucket names go out with each URL generated, etc.Tom Andersen
Steffen, I don't want the account to ListAllBuckets, but it's not working with the perms I want, so I'm progressively enabling more permissions to see if there's some higher level denial of access going on...colemanm

2 Answers

12
votes

The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource to target your buckets root directory instead, i.e. replace /home/bob/*with *.

Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).

0
votes

This will permit to list all buckets assuming you are not denying it somewhere else (I am 99% sure deny statements are evaluated first; order does not matter with IAM policies):

    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    }

Permit whatever you want for your buckets (Don't forget the /* also):

    {
        "Effect": "Allow",
        "Action": [
            "s3:<Put your actions here; cherry pick from the AWS documentation>"
        ],
        "Resource": [
            "arn:aws:s3:::<Bucket name here>",
            "arn:aws:s3:::<Bucket name here>/*"
        ]
    }