How to create an Amazon S3 bucket Access Policy

     In this article we will see how to create an Access Policy that will allow us to limit access to this AWS S3 Bucket to only one user and in the same time limit a user to have access to only one AWS S3 bucket.

  Many times you will need to separate user access over AWS objects and you need to make sure they don't have access to each other resources unless you want them to.

 What is an AWS IAM Policy ?

   A policy is a document that formally assigns permissions to a user, group, role, or resource, you create a policy, which is a document that explicitly lists permissions.

A policy lets you specify the following:

Actions

- what action are allowed.

Resources

- on what resources are the action allowed.

Effect

- type of the effect on the action. (to enable it or to disable it)

What is the format of a policy ?

Policies are created using JSON format files and it can have one or more statements, each of which describes one set of permissions.

Policy example
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::my_bucket"
  }
}
  • this policy will allow to list a bucket called my_bucket.
    Now that you have a basic idea of what is a policy and what do we use it for we will continue with our topic and create a policy that will restrict access to a user only to it and to the list of actions we want it to have.

User Access Policy over a single AWS S3 bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                        "s3:GetBucketLocation",
                        "s3:ListAllMyBuckets"
                      ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::usrftpjoe-bkt",
                "arn:aws:s3:::usrftpjoe-bkt/*"
            ]
        }
    ]
}
You can see we allow the user to list the existing buckets and than we state he will have all the access to actions on top of the S3 bucket called userftpjoe-bkt.

How to use Amazon Console to create the policy

1 - Login into you Amazon Console and go to IAM iam-1 2 - Choose to create a new policy iam-2 3 - Choose Create Your Own Policy option iam-3 4 - Provide the Name, description and the body the policy. Validate first and then Create the policy. iam-4

How to use Amazon command line utility to create the policy

aws iam put-user-policy --user-name usrFtpJoe --policy-name usrFtpJoe-S3-access-policy --policy-document /tmp/usrFtpJoe-bucket-policy.json
   Where the /tmp/usrFtpJoe-bucket-policy.json must contain the above definition of the policy and the user name must be provided, in my case my user name is userFtpJoe and the policy name i choose is usrFtpJoe-S3-access-policy.

You can attach the policy to a user using the Gui or the command line AWS client. 

Use Amazon Console to attach the policy:

1 - Select the policy and Choose Attach iam-5 2 - Choose the user to attach the policy to and click on the Attach Policy button. iam-6

Use Amazon Command Line utility to attach the policy to a user

aws iam attach-user-policy --policy-arn arn:aws:iam::393556751081:policy/usrFtpJoe-S3-access-policy --user-name usrFtpJoe
You need to provide the command with policy arn and the user name. How to get the policy arn ? 
aws iam list-policies --output text | grep <policy name