How to give 2 IAM users web access to an S3 bucket

This is effectively a condensed version of Amazon’s documentation for how to give specific IAM users and groups access to specific buckets. Your first step is to create an s3 bucket, 1 IAM group, and at least 2 IAM users:

Now that we have the s3 bucket, IAM group, and IAM users, we’re ready to add permissions. We only need to add permissions to the group and to the users.

Add the following json permissions to the IAM group, replacing “BUCKET_NAME” with your bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootLevelListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        ""
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        }
    ]
}

Add the following json permissions to the IAM users, replacing “BUCKET_NAME” with your bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        }
    ]
}

If you want to grant the IAM users access to a sub-bucket, then do the following, replacing “BUCKET_NAME” and “SUB_BUCKET_NAME” with the respective bucket names:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "SUB_BUCKET/*"
                    ]
                }
            }
        }
    ]
}

That’s it!

Posted in

Toby Cryns

Toby Cryns is a freelance CTO, expert WordPress consultant, and teacher.

He offers free advice to improve your freelance biz.

He also publishes small droppings every now and then to twitter.com/tobycryns and twitter.com/themightymo

Follow Toby's contributions on Github and WP.org.