Do you want to restrict access on S3 only to some users? Do you want to restrict the bucket they can access? Do you want to restrict the actions they can do? Let’s create an AWS S3 custom policy!

Login to your AWS console, go to the IAM console, choose Policies from the left side menu, then click on Create Policy.

Here you can create a new policy in 3 different ways, but what we will do today is following the first one, so click on Copy an AWS Managed Policy. In the next screen select AmazonS3FullAccess. Now, choose a policy name and description. Then, let’s write the policy document.

What I wanted to achieve was these:

• user A which could access only the development bucket;
• user B which could access only the production bucket.

So I created 2 policies, one for each user, that look like the following:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"s3:*",
         "Resource":"arn:aws:s3:::bucketname*"
      }
   ]
}

Look at the * at the end of the bucket’s name. It is mandatory otherwise you won’t have permission the execute the listing operation and many other operations would fail due to this.

Another way was to create the policy this way:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:::bucketname"
      },
      {
         "Effect":"Allow",
         "Action":"s3:*",
         "Resource":"arn:aws:s3:::bucketname/*"
      }
   ]
}

I write it only for completeness but I find the first way more compact to write and to read.

Please note you can add more attributes to the Statement object to restrict even further the permissions.

Now, after you have successfully created a policy, assuming you have already created a IAM user from the IAM console, go to that user’s info and attach the policy to it using the Permissions tab.

Do you want to test your new user and policy work as expected? Let’s assume you have created these settings:

User A can access only the development bucket; User B can access only the production bucket.

This is what should happen:

User A tries to access the development bucket: permission granted; User A tries to access the production bucket: permission denied; User B tries to access the development bucket: permission denied; User B tries to access the production bucket: permission granted.

Please refer to the AWS docs for a complete list of attributes and actions to fully customize your policy.