Grant Access to single S3 bucket

I was setting up a static website on Amazon S3. This process is fairly simply. Finally I wanted to create an user that can only deploy this one single bucket. As with all other user accounts I wanted to follow the least privilege model. So the default S3-Full Access policy was not an option for me.

I created a new policy granting full access to this specific bucket. It looked like this:

{
   "Version": "2012-10-17",
   "Statement": [
   {
     "Effect": "Allow",
     "Action": "s3:*",
     "Resource": [
     "arn:aws:s3:::myBucket/*",
     "arn:aws:s3:::myBucket"]
   }
 ]
}

I assigned this to the user that uploads my site and started the upload. Peng! Access Denied.

After some investigation I discovered that the ListAllMyBuckets action is causing that problem. I added a second policy:

{
   "Version": "2012-10-17",
   "Statement": [
   {
     "Effect": "Allow",
     "Action": "s3:ListAllMyBuckets",
     "Resource": "arn:aws:s3:::*"
   }]
}

This solved my issue and the upload work fine.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s