How to I allow full access for an IAM user to a specific path within a bucket only?

Background
  • I have several buckets, each with a "Development" and "Production" folder inside.
  • I have two accounts, accountname-dev and accountname-prod
Goals
  • I'd like account-dev to have full access (all actions) on BucketName/DEVELOPMENT
  • I'd like account-prod to have full access (all actions) on BucketName/PRODUCTION
Problem

Whenever I use the policy generator, it looks like I'm doing it wrong somehow. Adding a standard admin policy allows access to the documents fine, but my custom policy does not.

I added the policy using Amazon's IAM policy creation screen for a specific account.

The policy I'm trying to use is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "[Redacted]",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": "DEVELOPMENT/*"
        }
      },
      "Resource": [
        "arn:aws:s3:::RedactedBucketName"
      ]
    }
  ]
}
Questions
  • Is anything wrong with the policy above?
  • Is this the only policy I need to add? Or do I need to add some sort of access capability at the bucket level too first?
  • Even though Amazon's policy generation screen didn't include the full ARN for the principal, is it a best practice to include that anyway?

Answers


I could make it work this way:

Assign an IAM user policy only (no S3 bucket policy is needed) to individual user.

Check below user policy. I created for the user account-dev, meaning, you have to apply this IAM policy to account-dev user.

{
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowRootLevelListingOfDevelopmentBucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::development-bucket-name"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            ""
          ],
          "s3:delimiter": [
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::development-bucket-name"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "DEVELOPMENT/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowUserToReadWriteObjectData",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::development-bucket-name/DEVELOPMENT/*"
      ]
    }
  ]
}

AllowGroupToSeeBucketListInTheConsole and AllowRootLevelListingOfDevelopmentBucket are needed for user to work from S3 console. If you do not want user to work from S3 console and want him to work only using APIs, then you can omit these 2 stanzas.

Similarly, you have create another user policy for account-prod and assign it to that user.


Need Your Help

Create database in Symfony2

php mysql symfony doctrine-orm

I've inherited a Symfony project that uses a MySQL DB. I need to create a second database. I've changed the …/htdocs/projectFolder/app/config/parameters.yml to have a new dbName.