S3 bucket policy for group access AWS

Setting AWS permissions for buckets in S3 for groups.

AWS cloud service has option to setup policy for buckets as well as for groups.

There is one issue with setting up bucket permission policy.One can not define policy for a group as principle. Buckets policy permissions can be defined for user, roles etc etc but not for groups. S3 bucket policy  does supports predefined groups but not user created groups.

So if you have to restrict a particular group of users to access the S3 bucket you can define a group policy with restriction to particular group.

{
“Version”: “2014-04-10”,
“Statement”:[{
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: [“arn:aws:s3:::m_bucket”,
“arn:aws:s3:::m_bucket/*”]
}
]
}

if you want to access a group of users to not access particular bucket and let them access the rest of buckets.You have to use the name of buckets in resource.
If you have multiple buckets then you can use a standardize name pattern for bucket names and restrict users by using wild card in policy definition.

example:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt139348839980”,
“Effect”: “Allow”,
“Action”: [
“s3:ListAllMyBuckets”
],
“Resource”: [
“arn:aws:s3:::*”
]
},
{
“Sid”: “Stmt139334545,
“Effect”: “Deny”,
“Action”: [
“s3:*”
],
“Resource”: [
“arn:aws:s3:::prod-buckets*”
]
},
{
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: “*”
}
]
}

by above policy user would be able to see list of buckets but he/she not be able to access it.Policies can be simulated on IAM policy simulator.

policy AWS bucket S3
policy AWS bucket S3
One Comment

Add a Comment

Your email address will not be published. Required fields are marked *