How can I grant a user access to a specific folder in my Amazon S3 bucket?

5 minute read
1

I want to restrict an AWS Identity and Access Management (IAM) user to access only specific folders in Amazon Simple Storage Service (Amazon S3).

Resolution

If the user and bucket belong to the same AWS account, then use an IAM policy to grant the user access to the bucket folder. If the IAM policy grants access, then you don't need to update the bucket policy.

Note: If the Amazon S3 bucket policy explicitly denies the IAM user access to the folder, then you must update the bucket policy.

If the IAM user and S3 bucket belong to different AWS accounts, then grant access on both the IAM policy and the bucket policy. For more information, see How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?

Single-user policy

The following example IAM policy grants a user named David full access to only his folder (/home/David).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowStatement1",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowStatement2A",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "home/",
            "home/David"
          ],
          "s3:delimiter": [
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowStatement3",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "home/David/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowStatement4A",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/David/*"
      ]
    }
  ]
}

The policy includes these statements:

  • AllowStatement1: Allows the user to list the buckets that belong to their AWS account. This permission allows the user to navigate to the bucket in the console.
  • AllowStatement2A: Allows the user to list the folders within DOC-EXAMPLE-BUCKET. This permission allows the user to navigate to the folder in the console.
  • AllowStatement3: Allows the user to list the contents within the DOC-EXAMPLE-BUCKET/home/David folder.
  • AllowStatement4A: Allows all actions, such as read, write, and delete permissions, within only the DOC-EXAMPLE-BUCKET/home/David folder.

Multiple-user policy

In some cases, you don't know the exact name of the resource when you write the policy. For example, suppose that you want to allow every user to have their own objects in an Amazon S3 bucket. Instead of creating individual policies for each user, use policy variables to create a group policy that applies to multiple users. Policy variables allow you to specify placeholders in a policy. When you make a request to AWS, a value from the request replaces the placeholder when the policy is evaluated.

The following example shows a policy for an Amazon S3 bucket that uses the policy variable ${aws:username}:

Note: This article uses the aws:username key and returns the user's friendly name, such as "Adele" or "David." This value is obtained from the username that you provide when you create the IAM user. In some cases, it's better to use a respective globally unique value. For example, when you use an IAM role, the value of aws:username might not be valid for that IAM entity. For more information, see Principal key values.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "home/"
          ],
          "s3:delimiter": [
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "home/${aws:username}/*",
            "home/${aws:username}"
          ]
        }
      }
    },
    {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/${aws:username}/*"
      ]
    }
  ]
}

In this policy, when a user makes a request to AWS, the requester's name replaces the variable. For example, when David makes a request, ${aws:username} resolves to David.

Note: The IAM user can list all prefixes at the parent level, such as DOC-EXAMPLE-BUCKET/. Users can navigate to their home directory in any graphical user interface (GUI) client. If you don't provide the list action at the parent level, then you must use a command line interface to directly access the specific folder.

Limit access based on the IAM Identity Center user principal

You can control access to an S3 bucket folder based on AWS IAM Identity Center (successor to AWS Single Sign-On) user principal. Each user in the IAM Identity Center directory has a unique user ID. Use the policy variable ${identitystore:UserId} for each user whose folder access you want to limit. Note: When you create the S3 folder, make sure that the folder name corresponds to the ID of the user in the IAM Identity Center directory.

For example, suppose a user ('John') in the IAM Identity Center directory has a corresponding unique user ID of 1111111111-2a2aaa222-bb33-4444-5555-5cc5555c555c. To manage this user, create a folder for John in the S3 bucket with the name /home/1111111111-2a2aaa222-bb33-4444-5555-5cc5555c555c. To find the user IDs for your users, navigate to each user in the IAM Identity Center console, or use the DescribeUser API. The following example IAM policy uses the ${identitystore:UserId} variable:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "home/"
          ],
          "s3:delimiter": [
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "home/${identitystore:UserId}/*",
            "home/${identitystore:UserId}"
          ]
        }
      }
    },
    {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/${identitystore:UserId}/*"
      ]
    }
  ]
}

Related information

AWS Policy Generator

Controlling access to a bucket with user policies

Amazon S3 condition key examples

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago
1 Comment

You can check NirvaShare, it has capabilities to share folders with users from the AWS identity center or from any other identity stores such as ActiveDirectory, etc

replied a year ago