Rate this Entry

Aws, iam, and s3

Posted 03-16-2012 at 11:24 AM by brentaar
Updated 03-16-2012 at 11:32 AM by brentaar

Tags aws, aws s3, iam

I've been trying to figure out how the IAM security policies work in AWS for quite a while now.
There is a lot of documentation, pictures, and some examples explaining how to do many things; though what I was looking for was/is hard to find. My goal was to create an IAM policy that would grant an IAM user group access to one S3 bucket. After trying to read examples that made since in theory, I went off trying to cobble a policy that would get me to my goal, with some bumps on the road (be careful of the Grantee option in S3, it can act more globally than expected).

Here are the policies that I came up with to “Allow a Specific Group access to a Specific Bucket”:

The first thing that was needed was to let the group see the available bucket list. When I first set out I just wanted the one specified bucket so be shown, there was little success in that approach.

Code:

{
  "Statement": [
    {
      "Sid": "Stmt1331770574007",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

The next policy gave full rights for the group to do whatever they want in a specific bucket.

Code:

{
  "Statement": [
    {
      "Sid": "Stmt1331842424093",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket*"
      ]
    }
  ]
}

The key seemed to be the "bucket*", other things I tried where: bucket, bucket/, bucket/*. Though none of them worked in the way I though they should. It must have something to do with folders in buckets not actually being folders, but acting more as keys in a string.

Posted in Amazon Web Services

Views 398 Comments 0

« Prev Main Next »

Total Comments 0