How can I grant users the minimum Amazon S3 permissions required to access an Elastic Beanstalk environment?

Last updated: 2020-03-10

I want to grant the minimum set of Amazon Simple Storage Service (Amazon S3) permissions to a user in an AWS Elastic Beanstalk environment.

Resolution

1.    Open the AWS Identity and Access Management (IAM) policy console.

2.    From the navigation pane, choose Policies.

3.    Create or update the IAM policy that you're using for your Elastic Beanstalk environment.

4.    In the Resources section of the IAM policy that you create or update, use the following syntax to grant users access to only S3 buckets related to Elastic Beanstalk:

arn:aws:s3:::elasticbeanstalk-*

See the following example IAM policy:

{
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject",
                "s3:PutBucketPolicy”,
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-*",
                "arn:aws:s3:::elasticbeanstalk-*/*"
            ],
            "Effect": "Allow",
            "Sid": "EBBucketAccess"
},
{
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Sid": "ListBuckets"
}

Note: If you're fetching application versions from a custom S3 bucket, then you might need to list additional buckets and add further permissions for Elastic Beanstalk.


Did this article help you?

Anything we could improve?


Need more help?