IAM (AWS Identity and Access Management) enables you to manage access to your Amazon resources and give access to specific resources for users. In my case I wanted to give a customer access to a S3 bucket, but I didn’t want them to see all the other buckets (none of their business simply).
So to give them access I created a new user (lets call it SampleAddress.com just for this example), and started experimenting with the permissions. I realized pretty soon that group permission would be the way to go so I also created a group for this customer also called SampleAddress.com.
The Amazon permission policies are JSON files, so if you’ve worked with JSON before you recognize the syntax.
Since I didn’t want the customer to see all buckets I couldn’t use the action S3:ListAllBuckets, so I just gave them access to their own bucket. The downside with this is that now they just get an error that they can’t list buckets (i.e. they wont see even their own bucket).
So the first Statement is giving them access to their own bucket, and the second statement is giving them full access to anything inside that bucket. If you want to to the same thing, just replace the www.sampleaddress.com with your own bucket name.
{
"Statement": [
{
"Sid": "12355422424215",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::www.sampleaddress.com"
]
},
{
"Sid": "8542515627885",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::www.sampleaddress.com/*"
]
}
]
}
To solve the issue that the customer can’t see it’s own bucket, I found S3 Browser (a Windows software) that’s working just like an FTP software. I instructed the customer to fill in their access key and access secret, and when they got the error message that they couldn’t list the buckets I told them to fill in their web site address including www.. This way they got into their own bucket without seeing any other buckets, and they can use S3 Browser like any other FTP software.
