IAM Users Only for Bucket Access

Ideally we have to IAM Roles if the access credentials is used by an App hosted in EC2, else the following can be setup :

  • Create an IAM Bucket say unni-test
  • Create an IAM User with the same name as bucket say – unni-test
  • Now we can use IAM Variables (here aws:username) to create just a Single Policy to Grant Acccess specifically to each bucket and apply it to the IAM Group. Hence all similar requirements can be added to this IAM Group.

Example :
“Version”: “2012-10-17”,
“Statement”: [
“Action”: [“s3:*”],
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::mybucket”],
“Resource”: [“arn:aws:s3:::mybucket/home/${aws:username}/*”]

The policy uses a policy variable (${aws:username}) that is evaluated at run time and contains the friendly name of the IAM user who made the request.

Example IAM Policies : http://docs.aws.amazon.com/IAM/latest/UserGuide/ExampleIAMPolicies.html


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s