Restrict Amazon IAM user access to a Single S3 Bucket

by Giang, last updated 19 Jan 2018

It is a bad practice when an AWS key pair could access all S3 buckets, or worse all AWS services. Therefore I want to create an IAM user and restrict its access to a single S3 bucket used for a project.

First step is to create a new user in IAM with access type is Programmatic access only. Skip the permissions steps.

After user is created, go to user detail page, click Add inline policy, we will be taken to this screen

If we choose Custom Policy, just enter a policy name and copy the piece of code below, just make sure to change bucket-name to the real bucket name

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

If we choose Policy Generator option, make sure the inputs are similar to this

then click Add Statement and proceed.

And that's all.

However, I found out that other tutorials on the Internet involving reading buckets list permission, I don't use it and things still work normally, but I leave the it here just in case.

{
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "arn:aws:s3:::*"
}