How To Grant Access To Only One S3 Bucket Using AWS IAM Policy

This guide gives an overview on how to restrict an IAM user’s access to a single S3 bucket.

  1. Go to http://aws.amazon.com.
  2. Click on “My Account/Console” and select “Security Credentials”.

    S3 Bucket Policy Step 2

  3. Select “Continue to Security Credentials”.

    S3 Bucket Policy Step 3

  4. Select “Policies” on the left menu, then click “Create Policy”.

    S3 Bucket Policy Step 4

  5. Select “Create Your Own Policy”.

    S3 Bucket Policy Step 5

  6. Fill out the “Policy Name”, “Description” and “Policy Document” fields.
    Replace “YOUR-BUCKET” in the example below with your bucket name.

    Note: The "s3:ListAllMyBuckets" is used to list all buckets owned by you, so that tools that list buckets will work.
    The "s3:GetBucketLocation" is needed so that ObjectiveFS can select the right S3 endpoint to talk with.

    Example policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                            "s3:GetBucketLocation",
                            "s3:ListAllMyBuckets"
                          ],
                "Resource": "arn:aws:s3:::*"
            },
            {
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::YOUR-BUCKET",
                    "arn:aws:s3:::YOUR-BUCKET/*"
                ]
            }
        ]
    }
    

    S3 Bucket Policy Step 6

  7. Your new policy is created after you click “Create Policy”.

    S3 Bucket Policy Step 7

  8. Select “Groups” on the left hand menu bar, and click on “Create New Group”.

    S3 Bucket Policy Step 8

  9. Enter a group name, e.g. S3OneFS.

    S3 Bucket Policy Step 9

  10. Search for the policy name that you just created, e.g. single-bucket-access-and-all-buckets-list

    S3 Bucket Policy Step 10

  11. Next, select “Create Group”.

    S3 Bucket Policy Step 9

  12. Select the group that you just created, e.g. S3OneFS, and click “Group Actions”. Select “Add Users to Group”.

    S3 Bucket Policy Step 9

  13. Then, select your user, e.g. ObjectiveFS, and click “Add Users”.

    S3 Bucket Policy Step 9

  14. You can now use your “Access Key ID” and “Secret Access Key” to run ObjectiveFS restricted to a single bucket.

by ObjectiveFS staff, July 28, 2015
ObjectiveFS is a shared file system for OS X and Linux that automatically scales and gives you scalable cloud storage. If you have questions or article idea suggestions, please email us at support@objectivefs.com

Get updates about ObjectiveFS