Hi,
If you are using Amazon S3 for storage, I recommend using IAM to create users with specific access to S3 only or to some specific bucket only. It is great way to give to your developer or client or partner access to specific bucket in your S3 without allowing access to whole Amazon or AWS or S3 account.
Using IAM service in AWS, you can create groups and users with specific permissions. In my case:
- I created a group called: test
- then added: testuser as a user in the group
- Used following policy for the group to give access to only ‘test’ bucket
Policy Code for Specific Bucket View/Download/Upload/Delete Access:
Enable AWS Management Console access to an Amazon S3 bucket:
[code language=”css”]{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::test/*"]
}
]
}[/code]
For Programmatic Access, following IAM policy grants programmatic read-write access to the test bucket:
[code language=”css”] {
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::test/*"]
}
]
}[/code]