jrjwza
Last Updated: February 25, 2016
·
6.217K
· brockangelo
80996759c3e7bca1391811737b1da0e3

S3 Group policy for read-only access to only one bucket.

Simple AWS IAM Group policy to limit a client to read-only access to a single bucket. They'll be able to see the names of all other buckets on your account, but won't be able to get into them. They will be able to see all folders and files in the bucket you specify.

Replace "bucketname" below:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket", "s3:ListAllMyBuckets" ],
      "Resource": "arn:aws:s3:::*"
    },
   {
      "Effect": "Deny",
      "Action": ["s3:ListBucket"],
      "NotResource":["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket","s3:GetObject"],
      "Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"],
      "Condition": {}
    }
  ]
}
Say Thanks
Respond

2 Responses
Add your response

14987

Pretty nifty policy! In my experience a few more actions are useful to include under "allow" as shown in: https://www.imthi.com/blog/general/amazon-iam-policy-readonly-access-to-single-s3-bucket.php This is especially useful if you want to use the AWS web console to view your S3 assets.

over 1 year ago ·
26517
None

it's ok but the usre can delete anything in the target bucket

over 1 year ago ·