Bobble Solutions

Linux Migration & Support Specialist

Home | Blog | Contact

AWS IAM roles allow for very powerful and complex permissions to be set up, but they do leave a lot to be desired for simple requirements.

Here are some quick and easy examples for setting up S3 permissions for a few of the most common requirements I've come across.

These JSON policies are to be added to a user via AWS IAM.

Allow User Full CRUD Access to S3 Bucket

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws:s3:::*"
          },
          {
              "Effect": "Allow",
              "Action": "s3:*",
              "Resource": [
                  "arn:aws:s3:::$BUCKET_NAME",
                  "arn:aws:s3:::$BUCKET_NAME/*"
              ]
          }
      ]
    }

Allow User Full CRUD Access to Subdirectory in S3 Bucket

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetBucketLocation"
                ],
                "Resource": "arn:aws:s3:::*"
            },
            {
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": [
                    "arn:aws:s3:::$BUCKET_NAME"
                ],
                "Condition": {
                    "StringEquals": {
                        "s3:prefix": [
                            "$DIRECTORY_NAME"
                        ],
                        "s3:delimiter": [
                            "/"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::$BUCKET_NAME",
                "Condition": {
                    "StringLike": {
                        "s3:prefix": [
                            "$DIRECTORY_NAME/",
                            "$DIRECTORY_NAME/*"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "s3:*Object",
                "Resource": [
                    "arn:aws:s3:::$BUCKET_NAME/$DIRECTORY_NAME/",
                    "arn:aws:s3:::$BUCKET_NAME/$DIRECTORY_NAME/*"
                ]
            }
        ]
    }

Allow User Read-Only Access to Subdirectory in S3 Bucket

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetBucketLocation"
                ],
                "Resource": "arn:aws:s3:::*"
            },
            {
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": [
                    "arn:aws:s3:::$BUCKET_NAME"
                ],
                "Condition": {
                    "StringEquals": {
                        "s3:prefix": [
                            "$DIRECTORY_NAME"
                        ],
                        "s3:delimiter": [
                            "/"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::$BUCKET_NAME",
                "Condition": {
                    "StringLike": {
                        "s3:prefix": [
                            "$DIRECTORY_NAME/",
                            "$DIRECTORY_NAME/*"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "s3:GetObject",
                "Resource": [
                    "arn:aws:s3:::$BUCKET_NAME/$DIRECTORY_NAME/",
                    "arn:aws:s3:::$BUCKET_NAME/$DIRECTORY_NAME/*"
                ]
            }
        ]
    }