Reputation: 110980
S3 Policy to allow a user to Put, Get, Delete and modify permissions
I'm working to create a policy document to allow a IAM users to S3 to a specific "blog" directory where they can create/edit/delete files as well as modify file permissions inside the bucket to global read so uploaded files can be made public on a blog. Here is what I have so far, only issue is the policy is not letting the user modify permissions.
How can this policy be updated to allow the user to modify permissions to global read access?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::blog"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::blog/*"
}
]
}
Upvotes: 4
Views: 4905
Answers (1)
Reputation: 23502
only issue is the policy is not letting the user modify permissions.
Correct. You have granted only the Put, Get and Delete Permission. In order to provide access for manipulating the Object level permission, you need to provide s3:PutObjectAcl API access.
Check s3:PutObjectAcl IAM Action documentation and S3 PUT Object acl Documentation for more details on how you can leverage this API.
Upvotes: 3
Related Questions
- S3 Bucket Policy to Allow access to specific users and restrict all
- AWS create user only with S3 permissions
- AWS S3 folder permission for users
- Amazon S3 folder permissions
- Where is policy of read/write AWS S3 for IAM user
- AWS S3 Permission to put in specific folder
- Setting policy for S3 bucket for authorized users
- AWS S3: user policy for specifc bucket
- How to define permissions in Amazon s3
- Custom user permissions for S3