Skip to content


AWS User Policy for Single S3 Bucket

A common requirement is to have a backup service or script that uploads objects to S3 for storage. Since its good practice to scope user permissions as narrowly as possible, this leads to creating separate “api users” in Amazon for each service. Each user is only given permission for the buckets it needs to access. Unfortunately, the Resource URIs for AWS are non-intuitive and you have to remember to whitelist both the bucket and its contents. If you’re kind, you’ll also allow listing all buckets to make navigating through the UI or other tools possible.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::some-bucket-name",
                "arn:aws:s3:::some-bucket-name/*"
            ]
        }
    ]
}

#protip #selfreference

Posted in Tutorials.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

 



Log in here!