Reputation: 788
Simplify multiple AWS S3 Policies
Is there a way to somehow simplify the 2 AWS IAM Policy statements given below into one?
I want to allow ListBucket, GetBucketLocation, GetBucketPolicy, GetBucketACL Actions on the bucket, as well as the mainfolder and the subfolders 1,2,3 which are located within the bucket?
I have two statements - one to allow the operations on the bucket and the other to allow operations on the mainfolder and subfolders. Since the actions,Effect and Resource in both statements are the same, is it somehow possible to write a single statement?
Thanks,
John
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": "arn:aws:s3:::bucket"
},
{
"Effect": "Allow",
"Sid": "AllowAccessToListFilesInAllFolders",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": "arn:aws:s3:::bucket",
"Condition": {
"StringEquals": {
"s3:prefix": [
"mainfolder",
"mainfolder/subfolder1",
"mainfolder/subfolder2",
"mainfolder/subfolder3"
],
"s3:delimiter": "/"
}
}
}
]
Upvotes: 3
Views: 9460
Answers (2)
Reputation: 4491
You can condense it down even further with the wildcard statement.
http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/mainfolder",
"arn:aws:s3:::bucket/mainfolder/*"
]
}
]
or if you want them access to everything in the mainfolder
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/mainfolder/*"
]
}
]
Now note that
The policy is separated into two parts because the ListBucket action requires permissions on the bucket while the other actions require permissions on the objects in the bucket. We used two different Amazon Resource Names (ARNs) to specify bucket-level and object-level permissions. The first Resource element specifies arn:aws:s3:::test for the ListBucket action so that applications can list all objects in the test bucket. The second Resource element specifies arn:aws:s3:::test/* for the GetObject, PutObject, and DeletObject actions so that applications can read, write, and delete any objects in the test bucket.
Upvotes: 2
Reputation: 34426
You can use a list of resources to combine these in to a single statement, like this
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": ["arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/mainfolder",
"arn:aws:s3:::bucket/mainfolder/subfolder1",
"arn:aws:s3:::bucket/mainfolder/subfolder2",
"arn:aws:s3:::bucket/mainfolder/subfolder3"
]
}
]
Upvotes: 4
Related Questions
- AWS IAM Conditional Policies
- Fine-grained access control S3 (combining user and service role policies)
- How to merge AWS S3 bucket policies?
- IAM Policy and S3 Policy
- Iam policy for s3 buckets
- AWS IAM policy for more than one bucket
- AWS S3 bucket policy
- AWS S3 IAM policy multiple buckets
- S3 with IAM Policy
- creating IAM policy for Amazon S3