Last Updated: August 15, 2019
·
31.24K
· brockangelo

S3 Group policy for read-only access to only one bucket.

Simple AWS IAM Group policy to limit a client to read-only access to a single bucket. They'll be able to see the names of all other buckets on your account, but won't be able to get into them. They will be able to see all folders and files in the bucket you specify.

Replace "bucketname" below:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket", "s3:ListAllMyBuckets" ],
      "Resource": "arn:aws:s3:::*"
    },
   {
      "Effect": "Deny",
      "Action": ["s3:ListBucket"],
      "NotResource":["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket","s3:GetObject"],
      "Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"],
      "Condition": {}
    }
  ]
}

3 Responses
Add your response

Pretty nifty policy! In my experience a few more actions are useful to include under "allow" as shown in: https://www.imthi.com/blog/general/amazon-iam-policy-readonly-access-to-single-s3-bucket.php This is especially useful if you want to use the AWS web console to view your S3 assets.

over 1 year ago ·

it's ok but the usre can delete anything in the target bucket

over 1 year ago ·

@NestorAcevedo No, they can't. This policy doesn't give the user the DeleteObject permission (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html).

over 1 year ago ·