S3 Group policy for read-only access to only one bucket.
Simple AWS IAM Group policy to limit a client to read-only access to a single bucket. They'll be able to see the names of all other buckets on your account, but won't be able to get into them. They will be able to see all folders and files in the bucket you specify.
Replace "bucketname" below:
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:ListAllMyBuckets" ],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Deny",
"Action": ["s3:ListBucket"],
"NotResource":["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"],
"Condition": {}
}
]
}Written by Brock Angelo
Related protips
3 Responses
Pretty nifty policy! In my experience a few more actions are useful to include under "allow" as shown in: https://www.imthi.com/blog/general/amazon-iam-policy-readonly-access-to-single-s3-bucket.php This is especially useful if you want to use the AWS web console to view your S3 assets.
it's ok but the usre can delete anything in the target bucket
@NestorAcevedo No, they can't. This policy doesn't give the user the DeleteObject permission (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html).
Have a fresh tip? Share with Coderwall community!
