How to set up S3 policies for multiple IAM users so each has access only to their personal bucket folder

Question

I have two users User1 and User2 that each have an IAM account in AWS. I have an s3 bucket "external_bucket.mybucket.com". In that bucket is a folder for each user account "User1" and "User2". I want to grant Read/Write access to User1 to the access User1 folder only and R/W access to User2 to the access User2 folder only. I don't want them to be able to see each others' folders in the root directory of external_bucket.mybucket.com. Is there a way to set up their IAM Policies such that this is possible?

My goal is to enable our users to connect to the S3 bucket from an S3 browser app like cloudberry so they can upload and download files to their folders only.

Any kind of advice for the best design for this is welcome.

Deepthi · Answer 1 · Aug 14, 2018

Something like this should work to allow User1 to only access User1's folder:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::user1/*"]
   }
 ]
}

I have taken the above piece of code from this article - Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket

Apply that as User1's policy, and then only User1 should be able to access the user1/ folder.If you substitute User2 for User1 in User2's policy, User2 should only be able to access the user2/folder.

I hope this was helpful.

answered Aug 14, 2018 by Deepthi
• 300 points

Is it possible to allow access to common folder in root directory for the two users ?

commented Nov 24, 2020 by Vincy

Hi@Vincy,

Are you trying to say that an S3 bucket has two users? Can you explain your query a little bit more? So that we can help you as soon as possible.

commented Nov 24, 2020 by MD
• 95,460 points

How to set up S3 policies for multiple IAM users so each has access only to their personal bucket folder

Your comment on this question:

1 answer to this question.

Your answer

Your comment on this answer:

Related Questions In AWS

download failed: s3://bucketnad/bucket.txt to .\bucket.txt [WinError 5] Access is denied: 'C:\\Users\\NADIM AKTHAR\\Desktop\\New folder\\bucket.txt'

How to get ARN for s3 Bucket using aws cli .

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

How to change AWS S3 Bucket policies?

Web UI (Dashboard): https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

How do I go from development docker-compose.yml to deployed docker-compose.yml in AWS

Git management technique when there are multiple customers and need multiple customization?

AWS CloudWatch Logs in Docker

How to access files in S3 bucket from R?

Push Notification not sent by Amazon SNS to IOS application.

Subscribe to our Newsletter, and get personalized recommendations.

TRENDING CERTIFICATION COURSES

TRENDING MASTERS COURSES

COMPANY

WORK WITH US

DOWNLOAD APP

CATEGORIES

CATEGORIES

TRENDING BLOG ARTICLES

TRENDING BLOG ARTICLES