If we want to create restrictive IAM user policy that allows only bucket upload, then the below policy will work
{
"Id": "Policy1421692784857",
"Statement": [
{
"Sid": "Stmt1421692783042",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::root/*",
"Principal": {
"AWS": [
"arn:aws:iam::<account_name>:user/<bucket_name>"
]
}
}
]
}
You could use a policy similar to above and use aws cli to upload to the bucket. However, if you are using s3cmd utility, then the initial configuration requires s3:ListAllMyBuckets" action to be allowed as for "s3cmd --configure" to work correctly. However, per AWS documentation "ListAllMyBuckets" cannot be specified for a particular bucket - "The following example user policy grants the
Instead your IAM policy should look like
{
"Statement": [
{
"Sid": "Stmt1421700917471",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "Stmt1421701147331",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}
{
"Id": "Policy1421692784857",
"Statement": [
{
"Sid": "Stmt1421692783042",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::root/*",
"Principal": {
"AWS": [
"arn:aws:iam::<account_name>:user/<bucket_name>"
]
}
}
]
}
You could use a policy similar to above and use aws cli to upload to the bucket. However, if you are using s3cmd utility, then the initial configuration requires s3:ListAllMyBuckets" action to be allowed as for "s3cmd --configure" to work correctly. However, per AWS documentation "ListAllMyBuckets" cannot be specified for a particular bucket - "The following example user policy grants the
s3:CreateBucket
, s3:ListAllMyBuckets
, and the s3:GetBucketLocation
permissions to a user. Note that for all these permissions, you set the relative-id part of the Resource
ARN to "*". For all other bucket actions, you must specify a bucket name. For more information, see Specifying Resources in a Policy."Instead your IAM policy should look like
{
"Statement": [
{
"Sid": "Stmt1421700917471",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "Stmt1421701147331",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}
No comments:
Post a Comment