IAM Users Only for Bucket Access

Ideally we have to IAM Roles if the access credentials is used by an App hosted in EC2, else the following can be setup :

  • Create an IAM Bucket say unni-test
  • Create an IAM User with the same name as bucket say – unni-test
  • Now we can use IAM Variables (here aws:username) to create just a Single Policy to Grant Acccess specifically to each bucket and apply it to the IAM Group. Hence all similar requirements can be added to this IAM Group.

Example :
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [“s3:*”],
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::mybucket”],
“Condition”:{“StringLike”:{“s3:prefix”:[“home/${aws:username}/*”]}}
},
{
“Action”:[“s3:*”],
“Effect”:”Allow”,
“Resource”: [“arn:aws:s3:::mybucket/home/${aws:username}/*”]
}
]
}

The policy uses a policy variable (${aws:username}) that is evaluated at run time and contains the friendly name of the IAM user who made the request.

Example IAM Policies : http://docs.aws.amazon.com/IAM/latest/UserGuide/ExampleIAMPolicies.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s