Last Updated: February 25, 2016
· brockangelo

S3 Group policy for read-only access to only one bucket.

Simple AWS IAM Group policy to limit a client to read-only access to a single bucket. They'll be able to see the names of all other buckets on your account, but won't be able to get into them. They will be able to see all folders and files in the bucket you specify.

Replace "bucketname" below:

  "Statement": [
      "Effect": "Allow",
      "Action": ["s3:ListBucket", "s3:ListAllMyBuckets" ],
      "Resource": "arn:aws:s3:::*"
      "Effect": "Deny",
      "Action": ["s3:ListBucket"],
      "NotResource":["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
      "Effect": "Allow",
      "Action": ["s3:ListBucket","s3:GetObject"],
      "Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"],
      "Condition": {}
Say Thanks

2 Responses
Add your response


Pretty nifty policy! In my experience a few more actions are useful to include under "allow" as shown in: https://www.imthi.com/blog/general/amazon-iam-policy-readonly-access-to-single-s3-bucket.php This is especially useful if you want to use the AWS web console to view your S3 assets.

over 1 year ago ·

it's ok but the usre can delete anything in the target bucket

over 1 year ago ·