Permissions for specific bucket and specific folder

Question

Permissions for specific bucket and specific folder

Navigation

#1 by (1 votes)
#2 by (0 votes)

0

You will see I have an s3 Bucket on Amazon, with the following structure:

Carpeta "Home" :
 - Usuario1
 - Usuario2
 - Usuario3

I want to create a specific IAM user for each user, and in this way, each user has specific access to their own folder and subfolders.

I understand that I would have to create a different user for each user to access their respective folder, the problem is that how would the JSON of the privileges be?

I currently use this, but that gives access to all the folders, what I need is to specify only 1 folder with all its files and subfolders:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::mibucket"
        ]
    },
    {
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "arn:aws:s3:::*"
    }
]

}

I have already tried in many ways following the Amazon manuals, but nothing else does not feel like it: (

Thanks for your help. Greetings.

UPDATED:

With the help of Leonardo I have managed to do the following:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::mibucket"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::mibucket/home/Usuario/*"
        ]
    }
]

}

However, the previous code allows me to access the folder (specifying the path of course), but it does not let me upload files: (

link

amazon-s3

asked by Neftali Acosta 19.07.2018 в 21:03

source

2 answers

1

This should work, I do not understand your structure well, but assuming that your bucket is called mibucket and inside this bucket you want to have a structure like the following:

Home / User1

Home / User2

Home / User3

Here every iam you should apply a policy like the following:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": ["s3:ListBucket"],
     "Resource": ["arn:aws:s3:::mibucket/Home/Usuario1"]
   },
   {
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::mibucket/Home/Usuario1/*"]
   }
 ]
}

I hope it helps you.

EDIT1:

Keep in mind that each user can only list their specific folder so if you connect for example to try cyberduck or whatever, you have to specify that the folder to show is the one that corresponds to the user, for example "Home / User1".

EDIT2:

As I put in the comment apparently the program you use to connect wants to list the root of the bucket, but each user in the policy that passes you can only list your folder. I do not know that program but if you want to try cyberduck you can specify which folder is being accessed when use is connected, so you do not have to have a problem

In this program if in the part that says path you put mibucket / Home / User1 you should be able to connect.

EDIT3:

I add the policy found on the official website to restrict access to individual folders by user, documented here :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<BUCKET-NAME>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "",
                        "home/",
                        "home/${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}",
                "arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}/*"
            ]
        }
    ]
}

answered by 19.07.2018 в 22:57

How to do ALTER TABLE in SQL Server 2008 R2 to add IDENTITY (1,1)? [closed] How to omit the first row of an xlsx file

score 0 · Accepted Answer

Agadesco the help, in the end I found what I needed.

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::my-company/home/David/*"]
   }
 ]
}

Source: link