How can I grant a user Amazon S3 console access to only a certain bucket?

Last updated: 2019-06-20

I want to grant a user Amazon Simple Storage Service (Amazon S3) console access to a bucket. However, I don't want the user to be able to see other buckets in the account. How can I limit the user's console access to only a certain bucket? 

Short Description

To limit a user's Amazon S3 console access to only a certain bucket, change the following in the user's AWS Identity and Access Management (IAM) permissions:

  1. Remove permission to the s3:ListAllMyBuckets action.
  2. Add permission to s3:ListBucket only for the bucket that you want the user to access.

Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The main console link is similar to the following:

https://s3.console.aws.amazon.com/s3/home

Instead, the user must access the bucket using a direct console link to the bucket, similar to the following: 

https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/

Resolution

Follow these steps to update a user's IAM permissions for console access to only a certain bucket:

1.    Open the IAM console.

2.    From the console, open the IAM user or role that should have access to only a certain bucket.

3.    In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, search for the policy that grants the user permission to the s3:ListAllMyBuckets action or to s3:* actions (all S3 actions).

5.    Modify the policy to remove permission to the s3:ListAllMyBuckets action. Then, add permission to s3:ListBucket only for the bucket that you want the user to access from the console.

For example, the following policy allows the user to perform the s3:ListBucket, s3:PutObject, and s3:GetObject actions on awsexamplebucket:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket/*"
      }
   ]
}

6.    Provide the user with a direct console link to the bucket, similar to the following:

https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/

The user must use the direct link to be able to access the bucket from the console.

Note: If you want the user to be able to list all buckets but perform other S3 actions only on a certain bucket, see Example: Allow an IAM user access to one of your buckets.


Did this article help you?

Anything we could improve?


Need more help?