Leverage AWS IAM Policy Variables to grant access to S3 Folders.

By Default An AWS account can have up-to 100 S3 buckets. Often times there might be a need to have a separate bucket for each user which can be controlled using IAM Policies. However as a workaround for the bucket limitation of “100 buckets per account”, we can even create a single bucket and create multiple folders under the bucket and grant access to users to their specific buckets. This can be achieved using policy variables. where a single IAM Policy can be created and the user names can be passed as variables to IAM Policies.

For example:
We can use the policy and replace user name with a variable that uses the requester’s user name (aws:username), as shown in the following policy:

{
       "Sid": "AllowAllS3ActionsInUserFolder",
       "Action":["s3:*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::my-company/home/${aws:username}/*"]
    }

Whenever a user makes a request to AWS, the variable is replaced by the “friendly” user name of whomever made the request. So when “Sriharsh” makes a request, ${aws:username} resolves to Sriharsh; when Mark makes the request, ${aws:username} resolves to Mark, etc.

{
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::my-company/home/Sriharsh/*"]
    }

For more details, on how to implement Policy variables, please refer the links below:

“Policy Variables” in Using IAM.

Policy Variables using folders –
https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.