Home / server / Questions / 813872
Accepted
Gaia
Asked: 2016-11-09 12:10:11 +0800 CST

Optimized S3 Policy for full access

  • 772

I have the following policy in place:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllooUserFullAccessToBucket",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

While accessing the bucket via Key/Secret (using Cloudberry Explorer) I can:

  • List all buckets
  • List, download, upload and delete into mybucket, but only if this also is in place over at bucket permissions:

enter image description here

OR

I have need to add another item to the policy to do away with the bucket level permission requirement:

{
    "Sid": "AllooUserFullAccessToBucketPre",
    "Effect": "Allow",
    "Action": [
        "s3:*"
    ],
    "Resource": [
        "arn:aws:s3:::mybucket"
    ]
},

Is there syntax that would enable to have only 2 items (AllowUserToSeeBucketListInTheConsole & a single AllooUserFullAccessToBucket) in the policy while not requiring the bucket level permission?

amazon-s3 amazon-web-services

2 Answers

  1. Best Answer

    In my experience, it's been fairly standard practice to make a policy that just grant's access to the bucket and contents.

    I'd typically use a policy like this (don't want to allow this user to override bucket permissions, or delete the bucket, etc):

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3Browse",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*",
        },
        {
            "Sid": "GrantS3BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject*",
                "s3:Get*",
                "s3:List*",
                "s3:PutBucketAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:RestoreObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket",
                "arn:aws:s3:::bucket/*"
            ]
        }        
    ]
}
    • 1

  2. Try this one:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Deny",
            "NotAction": "s3:*",
            "NotResource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}
    • 0