How can I grant a user Amazon S3 console access to only a certain bucket or folder?

Last updated: 2021-05-20

I want to grant a user Amazon Simple Storage Service (Amazon S3) console access to a bucket or folder (prefix). However, I don't want the user to be able to see other buckets in the account, or other folders within the bucket. How can I limit the user's console access to only a certain Amazon S3 bucket or folder?

Short description

To limit a user's S3 console access to a certain bucket or folder (prefix), change the user's AWS Identity and Access Management (IAM) permissions. You can change the IAM permissions by performing the following:

1.    Remove permission to the s3:ListAllMyBuckets action.

2.    Add permission to s3:ListBucket only for the bucket or folder that you want the user to access.
Note: To allow the user to upload and download objects from the bucket or folder, you must also include s3:PutObject and s3:GetObject.

Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The user must access the bucket using a direct console link to the bucket or folder. The direct console link to a bucket looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/

The direct console link to a folder (such as folder2) looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/folder1/folder2/

Note: Amazon S3 uses a flat data structure instead of a file hierarchy. The console supports the concept of a folder as a way to group and organize files.

Resolution

Follow these steps to update a user's IAM permissions for console access to only a certain bucket or folder:

1.    Open the IAM console.

2.    From the console, open the IAM user or role that should have access to only a certain bucket.

3.    In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, search for the policy that grants the user permission to the s3:ListAllMyBuckets action or to s3:* actions (all S3 actions).

5.    Modify the policy to remove permission to the s3:ListAllMyBuckets action.

Note: If an attached user policy is allowing s3:* or Full Admin access with the "*" resource, then the policy already includes the s3:ListAllMyBuckets permissions. Therefore, remove the "*" resource. Instead, make sure that you're using one of the example policies listed in this article.

6.    Add permission to s3:ListBucket only for the bucket or folder that you want the user to access from the console.

The following example policy is for access to an S3 bucket:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject"
         ],
         "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      }
   ]
}

The policy allows the user to perform the s3:ListBucket, s3:PutObject, and s3:GetObject actions only on DOC-EXAMPLE-BUCKET.

The following example policy grants access to a folder. The policy allows the user to perform the s3:ListBucket, s3:PutObject, and s3:GetObject actions only on folder2 within DOC-EXAMPLE-BUCKET:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersToAccessFolder2Only",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/folder1/folder2/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket*"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "folder1/folder2/*"
                    ]
                }
            }
        }
    ]
}

7.    Provide the user with a direct console link to the S3 bucket or folder. The direct console link to an S3 bucket looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/

The direct console link to a folder looks like this:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/folder1/folder2/

The user must use the direct link to be able to access the S3 bucket or folder from the console.


Did this article help?


Do you need billing or technical support?