user2798227
user2798227

Reputation: 853

Delete Permissions for files in S3 bucket

My app lets user login using Google Plus. I have a common bucket for all my users. Anyone can upload/download files. But the problem is anyone can delete the file. How do I set the permissions so that anyone can upload/download files, but only the user who has uploaded the file can delete the file? This is my Roles->Inline Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
            "s3:AbortMultipartUpload",
            "s3:DeleteObject",
            "s3:GetObject",
            "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::uni-cloud/*"
            ]
        }
    ]
}

Upvotes: 0

Views: 5180

Answers (3)

Nadeem Qasmi
Nadeem Qasmi

Reputation: 2437

Upload and Delete files for specific S3 bucket

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:ListStorageLensConfigurations",
            "s3:ListAccessPointsForObjectLambda",
            "s3:GetAccessPoint",
            "s3:PutAccountPublicAccessBlock",
            "s3:GetAccountPublicAccessBlock",
            "s3:ListAllMyBuckets",
            "s3:ListAccessPoints",
            "s3:PutAccessPointPublicAccessBlock",
            "s3:ListJobs",
            "s3:PutStorageLensConfiguration",
            "s3:ListMultiRegionAccessPoints",
            "s3:CreateJob"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::<bucketName>",
            "arn:aws:s3:::<bucketName>/*"
        ]
    }
]

}

Upvotes: -1

Onur Salk
Onur Salk

Reputation: 156

If you create folders for every user in that bucket , then you can let them delete only the objects in that folder. You can do it using IAM policies , visit here

Upvotes: 1

John Rotenstein
John Rotenstein

Reputation: 270114

Objects stored in Amazon S3 do not identify "the user who has uploaded the file". Therefore, you'll need some other way of identifying which files they are allowed to access.

The simplest method would be to give each user their own sub-directory and then grant them permission to upload/download/delete objects only in that sub-directory.

You could then create a Role that uses IAM Policy Variables that grant permission, using the user's identifier as the name for a sub-directory. The policy would look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket"],
      "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
    }
  ]
}

Upvotes: 2

Related Questions