Granting Access to S3 Bucket for a Specific User

  2 minute read  

In this section, you will learn how to configure an S3 bucket to grant access to only a specific user. This allows you to refine access control at a granular level, restricting access to the bucket to a particular user.

Step 1: Prepare the Information

To create a policy of this kind, you need a set of information:

VariableExplanationExample Value
ACCOUNT_IDThe account ID you used to sign in to the S3 User Portal. You can find this on the dashboard (see Screenshot).700001145864652591
BUCKET_NAMEThe name of the bucket whose access is regulated by this policy.examplebucket
USERNAMEThe username of the specific user for whom a granular access policy will be created.mmustermann

ACCOUNTID

Step 2: Create the Bucket Policy

Policies are typically defined using .json objects. In this case, create a user-policy.json file and replace the corresponding variables with the information collected in the last step.

user-policy.json:

{
  "Version": "2012-10-17",
  "Id": "UserBucketPolicy",
  "Statement": [
    {
      "Sid": "AllowUserAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME",
        "arn:aws:s3:::BUCKET_NAME/*"
      ]
    },
    {
      "Sid": "DenyOtherAccess",
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME",
        "arn:aws:s3:::BUCKET_NAME/*"
      ]
    }
  ]
}

In this specific example, the policy would be as follows:

user-policy.json

{
  "Version": "2012-10-17",
  "Id": "UserBucketPolicy",
  "Statement": [
    {
      "Sid": "AllowUserAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::700001145864652591:user/mmustermann"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::shop-thumbnails",
        "arn:aws:s3:::shop-thumbnails/*"
      ]
    },
    {
      "Sid": "DenyOtherAccess",
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::700001145864652591:user/mmustermann"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::shop-thumbnails",
        "arn:aws:s3:::shop-thumbnails/*"
      ]
    }
  ]
}

Step 3: Set the Bucket Policy

aws s3api put-bucket-policy --bucket <bucketname> --policy file://user-policy.json --endpoint-url=https://<endpoint-url>

Explanation of variables:

  • <bucketname>: The name of the bucket whose policy you want to check.
  • <policy-name>: The name of the policy file you created.
  • <endpoint-url>: The corresponding endpoint for your plusserver S3-service.

Example:

aws s3api put-bucket-policy --bucket shop-thumbnails --policy file://user-policy.json --endpoint-url=https://s3.de-west-1.psmanaged.com

Step 4: Check the Bucket Policy

Use the command aws s3api get-bucket-policy to verify that the desired policy has been set:

aws s3api get-bucket-policy --bucket <bucketname> --endpoint-url=https://<endpoint-url>

Explanation of variables:

  • <bucketname>: The name of the bucket whose policy you want to check.
  • <endpoint-url>: The corresponding endpoint for your plusserver S3 service.

Example:

aws s3api get-bucket-policy --bucket shop-thumbnails --endpoint-url=https://s3.de-west-1.psmanaged.com

After running this command, the output should match the policy you defined and ideally be identical.

Last modified 03.05.2024: dos2unix mansvc files (d79b1ea)