Limit an S3 user to one bucket

If you want a user to only have access to one specific bucket you need to create a policy like the one below. The user will still be able to see other bucket names in your account but won’t be able to access the contents (there really is no way around this except for creating a separate Amazon Web Services account that does not contain any other buckets).

To set up the account, go to Amazon IAM and create a new user. In Permissions, click on Attach User Policy, select Custom Policy and copy and paste the following Policy Document into the field (replace the two occurances of bucketname with the name of your bucket):

{ { "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "" }, { "Action": "s3:", "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*" ] } ] }

If the user should also have access to another bucket, just repeat the two “arn:aws:s3:::bucketname” lines, replacing bucketname with the second bucket name. Watch out to add a comma to the end of each but the last line.

Limit an S3 user to one bucket
Share this