s3-access-to-user

How to Give Amazon S3 Bucket Access to a Specific User Only

by
Spread the love

When working with Amazon S3, one of the most common security requirements is to restrict access so that only a specific IAM user can read and write data, while all other users are denied access.

In this tutorial, I’ll walk you through how to set up an IAM user policy and a bucket policy to ensure only the intended user can access the bucket.

Step 1: Create or Identify the IAM User

First, make sure you have an IAM user created in your AWS account.
For example, let’s say our user is named vishal.

Step 2: Attach a User Policy for Bucket Access

Attach the following IAM policy to the user (vishal).
This allows the user to list the bucket and perform object-level actions (get, put, delete):

Bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

👉 Replace BUCKET_NAME with the actual name of your S3 bucket.

Step 3: Add a Bucket Policy to Restrict Access

Even though the user has a policy, by default other IAM users in the account may also have access. To prevent this, we add a bucket policy that denies access to everyone except our specific user.

Here’s the bucket policy:

Bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::AWS_ACCOUNT_ID:user/vishal"
                    ]
                }
            }
        }
    ]
}

👉 Replace BUCKET_NAME with your bucket name and AWS_ACCOUNT_ID with your AWS account ID.

See also  ERROR: unable to select packages

Step 4: Verify Access

  1. Log in as user vishal (or use access keys).
  2. Try listing, uploading, or deleting objects from the bucket — it should work.
  3. Any other user should get Access Denied.

Conclusion

With this setup:

  • IAM user vishal has full object access to the bucket.
  • All other IAM users and roles are explicitly denied.

This is a best practice when you want to isolate data access to a single trusted user in AWS.

Related posts:

  1. Understanding Elastic IP and Its Association
  2. Understand AWS Public IPv4 Address Usage and Pricing
  3. How to Resolve the “Unprotected Private Key File” Error in SSH on Windows
  4. Automated Container Image Cleanup in Amazon ECR to Save Costs

Leave a Comment

PHP Code Snippets Powered By : XYZScripts.com