A blog probably of interest only to nerds by John Morton.

24Feb2018

An S3 buck­et pol­i­cy to allow full-access for a sin­gle bucket.

When I have a new project that requires some Ama­zon S3 stor­age, I try to do the right thing” for secu­ri­ty by cre­at­ing a new user and a new buck­et entire­ly. I don’t want to share any cre­den­tials across projects.

That means after I have cre­at­ed my S3 buck­et I neeed to assign a user with the appro­pri­ate per­mis­sions. For me, that typ­i­cal­ly means I want this new user to have full access to man­age that buck­et and no others. 

Since I have to dig around every time I do this to cre­ate the pol­i­cy, I decid­ed to post it here. In the exam­ple below, my buck­et name is mybucket­name”. Creative!

You can assign this pol­i­cy to your user direct­ly or apply it to a group of users.

About the Sid line, I’ve added that because the buck­et I’m cre­at­ing will now, by default, make the files I’m upload­ing avail­able to the pub­lic. Regard­ing this set­ting, the Ama­zon docs say The Sid (state­ment ID) is an option­al iden­ti­fi­er that you pro­vide for the pol­i­cy state­ment.” So, basi­cal­ly, I think it’s there to help you iden­ti­fy the policy’s role next time you come take a look at the pol­i­cy statement. 

In prac­ti­cle terms, I’m using this buck­et to store images I’m upload­ing from a web form for use by an API. I want those uploaded images view­able by the world and Allow­Pub­li­cRead” is hope­ful­ly a way for me to quick­ly iden­ti­fy that later.

{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Effect": "Allow",
           "Action": [
             "s3:GetBucketLocation",
             "s3:ListAllMyBuckets"
           ],
           "Resource": "*"
         },
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucketname",
                "arn:aws:s3:::mybucketname/*"
            ]
        }
    ]
}