How can I grant a user Amazon S3 console access to only a certain bucket or folder?

Last updated: 2020-08-06

I want to grant a user Amazon Simple Storage Service (Amazon S3) console access to a bucket or folder (prefix). However, I don't want the user to be able to see other buckets in the account, or other folders within the bucket. How can I limit the user's console access to only a certain bucket or folder?

Short description

To limit a user's Amazon S3 console access to only a certain bucket or folder (prefix), change the following in the user's AWS Identity and Access Management (IAM) permissions:

  1. Remove permission to the s3:ListAllMyBuckets action.
  2. Add permission to s3:ListBucket only for the bucket or folder that you want the user to access.
    Note: To allow the user to upload and download objects from the bucket or folder, you must also include s3:PutObject and s3:GetObject.

Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The user must access the bucket using a direct console link to the bucket or folder. The direct console link to a bucket is similar to the following:

https://s3.console.aws.amazon.com/s3/buckets/AWSDOC-EXAMPLE-BUCKET/

The direct console link to a folder, such as the example folder2, is similar to the following:

https://s3.console.aws.amazon.com/s3/buckets/AWSDOC-EXAMPLE-BUCKET/folder1/folder2/

Note: Amazon S3 uses a flat data structure instead of a file hierarchy. The console supports the concept of a folder as a way to group and organize files.

Resolution

Follow these steps to update a user's IAM permissions for console access to only a certain bucket or folder:

1.    Open the IAM console.

2.    From the console, open the IAM user or role that should have access to only a certain bucket.

3.    In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, search for the policy that grants the user permission to the s3:ListAllMyBuckets action or to s3:* actions (all S3 actions).

5.    Modify the policy to remove permission to the s3:ListAllMyBuckets action.

6.    Then, add permission to s3:ListBucket only for the bucket or folder that you want the user to access from the console.

The following example policy is for access to a bucket. The policy allows the user to perform the s3:ListBucket, s3:PutObject, and s3:GetObject actions only on AWSDOC-EXAMPLE-BUCKET:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject"
         ],
         "Resource":"arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
      }
   ]
}

The following example policy is for access to a folder. The policy allows the user to perform the s3:ListBucket, s3:PutObject, and s3:GetObject actions only on folder2 within AWSDOC-EXAMPLE-BUCKET:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersToAccessFolder2Only",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/folder1/folder2/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket*"
            ],
            "Resource": [
                "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "folder1/folder2/*"
                    ]
                }
            }
        }
    ]
}

7.    Provide the user with a direct console link to the bucket or folder. The direct console link to a bucket is similar to the following:

https://s3.console.aws.amazon.com/s3/buckets/AWSDOC-EXAMPLE-BUCKET/

The direct console link to a folder is similar to the following: 

https://s3.console.aws.amazon.com/s3/buckets/AWSDOC-EXAMPLE-BUCKET/folder1/folder2/

The user must use the direct link to be able to access the bucket or folder from the console.


Did this article help?


Do you need billing or technical support?