Now that Amazon’s Identity and Access Management (IAM) is more widely known, and you can use your IAM credentials to login to the AWS Console, you might be wondering how to really leverage the IAM offering.

One really good use for IAM is allowing access for specific users to specific S3 buckets. This is what the IAM policy would look like.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

{
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket_name_here"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket_name_here/*"
    }
  ]
}

This contains three simple IAM statements.

1. The s3:ListAllMyBuckets for the entirety of S3 (arn:aws:s3:::*)
2. Full control of the specified bucket (bucket_name_here, in this case)
3. Ful control of the contents of the specified bucket

Sadly, there is no way to limit a user to which buckets are listed, instead you have to let them see all buckets which is accomplished by the first statement.

The second and third statement gives the user full control of the bucket itself, and it’s contents respectively. Assign this policy directly to a user, or a group that the user belongs to, and you’re all set!