How can I grant a user access to a specific folder in my Amazon S3 bucket?

Last updated: 2020-11-05

I want to grant an AWS Identity and Access Management (IAM) user access to a specific folder in my Amazon Simple Storage Service (Amazon S3) bucket. How can I do that?

Resolution

If the IAM user and S3 bucket belong to the same AWS account, then you can grant the user access to a specific bucket folder using an IAM policy. As long as the bucket policy doesn't explicitly deny the user access to the folder, you don't need to update the bucket policy if access is granted by the IAM policy. You can add the IAM policy to individual IAM users, or you can attach the IAM policy to an IAM role that multiple users can switch to.

If the IAM identity (user or role) and the S3 bucket belong to different AWS accounts, then you must grant access on both the IAM policy and the bucket policy. For more information on cross-account access, see How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?

The following example IAM policy allows a user to download objects from the folder DOC-EXAMPLE-BUCKET/media using the Amazon S3 console. The policy includes these statements:

  • AllowStatement1 allows the user to list the buckets that belong to their AWS account. The user needs this permission to be able to navigate to the bucket using the console.
  • AllowStatement2A allows the user to list the folders within DOC-EXAMPLE-BUCKET, which the user needs to be able to navigate to the folder using the console. The statement also allows the user to search on the prefix media/ using the console.
  • AllowStatement3 allows the user to list the contents within DOC-EXAMPLE-BUCKET/media.
  • AllowStatement4A allows the user to download objects (s3:GetObject) from the folder DOC-EXAMPLE-BUCKET/media.
{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowStatement1",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowStatement2A",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
     "Condition":{"StringEquals":{"s3:prefix":["","media"]}}
    },
  {
     "Sid": "AllowStatement3",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
     "Condition":{"StringLike":{"s3:prefix":["media/*"]}}
    },    
   {
     "Sid": "AllowStatement4A",
     "Effect": "Allow",
     "Action": ["s3:GetObject"],
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/media/*"]
   }
 ]
}

As another example, the following IAM policy allows a user to download and upload objects to the folder DOC-EXAMPLE-BUCKET/media using either the console or programmatic methods like the AWS Command Line Interface (AWS CLI) or the Amazon S3 API. The differences from the previous IAM policy are:

  • AllowStatement2B includes "s3:delimiter":["/"], which specifies the forward slash character (/) as the delimiter for folders within the path to an object. It's a best practice to specify the delimiter if the user makes requests using the AWS CLI or the Amazon S3 API.
  • AllowStatement4B allows the user to download (s3:GetObject) and upload (s3:PutObject) objects to the folder DOC-EXAMPLE-BUCKET/media.
{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowStatement1",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowStatement2B",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
     "Condition":{"StringEquals":{"s3:prefix":["","media"],"s3:delimiter":["/"]}}
    },
  {
     "Sid": "AllowStatement3",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
     "Condition":{"StringLike":{"s3:prefix":["media/*"]}}
    },
   {
     "Sid": "AllowStatement4B",
     "Effect": "Allow",
     "Action": ["s3:GetObject", "s3:PutObject"],
     "Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/media/*"]
   }
 ]
}

Did this article help?


Do you need billing or technical support?