How to give 2 IAM users web access to an S3 bucket

This is effectively a condensed version of Amazon’s documentation for how to give specific IAM users and groups access to specific buckets. Your first step is to create an s3 bucket, 1 IAM group, and at least 2 IAM users:

Now that we have the s3 bucket, IAM group, and IAM users, we’re ready to add permissions. We only need to add permissions to the group and to the users.

Add the following json permissions to the IAM group, replacing “BUCKET_NAME” with your bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootLevelListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        ""
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        }
    ]
}

Add the following json permissions to the IAM users, replacing “BUCKET_NAME” with your bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        }
    ]
}

If you want to grant the IAM users access to a sub-bucket, then do the following, replacing “BUCKET_NAME” and “SUB_BUCKET_NAME” with the respective bucket names:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "SUB_BUCKET/*"
                    ]
                }
            }
        }
    ]
}

That’s it!

Posted in

The Mighty Mo! Design Co.

RSS From Toby’s Blog

More posts from themightymo.com

How to give 2 IAM users web access to an S3 bucket

By The Mighty Mo! Design Co. | May 25, 2021

Here’s a quick tutorial about how to give 2 IAM users web access to an S3 bucket.

Where to go for website design inspiration

By Toby Cryns | May 5, 2021

I asked a design group I’m part of where they go for website design inspiration, and here are their recommendations

WordPress Calculators!

By Toby Cryns | May 4, 2021

A collection of new WordPress calculators we built that work great on your phone!

RSS From Toby’s Blog