By Default An AWS account can have up-to 100 S3 buckets. Often times there might be a need to have a separate bucket for each user which can be controlled using IAM Policies. However as a workaround for the bucket limitation of “100 buckets per account”, we can even create a single bucket and create multiple folders under the bucket and grant access to users to their specific buckets. This can be achieved using policy variables. where a single IAM Policy can be created and the user names can be passed as variables to IAM Policies.
For example:
We can use the policy and replace user name with a variable that uses the requester’s user name (aws:username
), as shown in the following policy:
{ "Sid": "AllowAllS3ActionsInUserFolder", "Action":["s3:*"], "Effect":"Allow", "Resource": ["arn:aws:s3:::my-company/home/${aws:username}/*"] }
Whenever a user makes a request to AWS, the variable is replaced by the “friendly” user name of whomever made the request. So when “Sriharsh” makes a request, ${aws:username}
resolves to Sriharsh
; when Mark makes the request, ${aws:username}
resolves to Mark
, etc.
{ "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::my-company/home/Sriharsh/*"] }
For more details, on how to implement Policy variables, please refer the links below:
“Policy Variables” in Using IAM.
Policy Variables using folders –
https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/