Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Create a single IAM user to access only specific S3 bucket

I have many S3 buckets in my AWS account. But now I created an IAM user and a new S3 bucket, I would like to give this user the ability to access the new S3 bucket using a client like CyberDuck.

I tried to create so many policies. But after that this user getting permission to list all my other buckets also. How can I give access to listing and writing access to a single S3 bucket?

like image 850
Sruthin Kumar TK Avatar asked Jun 11 '18 16:06

Sruthin Kumar TK


3 Answers

First you create a Policy to allow access to a single S3 bucket (IAM -> Policies -> Create Policy). You can use AWS Policy Generator (http://awspolicygen.s3.amazonaws.com/policygen.html), it should look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1528735049406",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:HeadBucket",
        "s3:ListBucket",
        "s3:ListObjects",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::YOURBUCKETNAME"
    }
  ]
}

Save the policy and note the name you gave to it, then go to IAM -> Users and select the desired user. In the permissions tab, click 'Add permissions', then select 'Attach existing policies directly' near the top. Find your policy by its name, tick its checkbox and complete the process.

like image 117
marekful Avatar answered Sep 22 '22 12:09

marekful


Per this ( https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/ )

they’ll need to be able to at least list all the buckets. But other than that, this also provides an example policy, which I just used last night for my own account, so I can confirm that it works.

Update Okay, I've tested and confirmed using CyberDuck that the following policy (customized to your environment of course) will prevent users from viewing all root buckets, and only allow them access to the bucket you specify:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllInBucket",
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::bucket-for-single-user"
        }
    ]
}

Just make sure that when you specify the path in CyberDuck, that you enter it as: bucket-for-single-user.s3.amazonaws.com.

Also, only START unrestricted like that, just to make sure it's working for you (since access appears to be an issue). After that, apply restrictions, you know...least privilege and all.

like image 24
thisAaronMdev Avatar answered Sep 23 '22 12:09

thisAaronMdev


According to Cyberduck Help / Howto / Amazon S3, it supports directly entering the Bucket name, as <bucketname>.s3.amazonaws.com. If this is possible with the client you are using, you don't need s3:ListAllMyBuckets permissions.

Actions should be grouped by the Resources that they can parse (Conditions are also potentially different per Action).

This IAM policy will allow full control of all the content (aka in the bucket) without controlling of the S3 bucket subresources (aka of the bucket):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketOperations",
            "Effect": "Allow",
            "Action": "s3:ListBucket*",
            "Resource": "arn:aws:s3:::<bucketname>"
        },
        {
            "Sid": "ObjectOperations",
            "Effect": "Allow",
            "Action": [
               "s3:AbortMultipartUpload",
               "s3:ListMultipartUploads",
               "s3:DeleteObject*",
               "s3:GetObject*",
               "s3:PutObject*"
            ],
            "Resource": "arn:aws:s3:::<bucketname>/*"
        },
        {
            "Sid": "DenyAllOthers",
            "Effect": "Deny",
            "Action": "s3:*",
            "NotResource": [
               "arn:aws:s3:::<bucketname>",
               "arn:aws:s3:::<bucketname>/*"
            ]
        }
    ] 
}

If you aren't specifically trying to lock the IAM user out of every possible public S3 bucket, you can leave the "DenyAllOthers" Sid off, without granting additional permissions to the users.

FYI, the AWS ReadOnlyAccess policy automatically gives s3:* to anything it's attached to. I recommend ViewOnlyAccess (which will unfortunately grant s3:ListAllMyBuckets without the DenyAllOthers).

like image 33
Sean Summers Avatar answered Sep 24 '22 12:09

Sean Summers