CODEWITHSUNDEEP
amazon-web-servicesamazon-s3backupamazon-iam
Adrian Walls
Adrian Walls

Reputation: 872

AWS IAM Policy to allow user access to specific S3 bucket for backup

I have a NAS which supports backup of files to AWS S3. I have created a user under IAM in the AWS console and I have tried to generate a policy which only allows this user access to a specific S3 bucket with read/write permissions. The following is the policy I have generated:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1465916250000",
      "Effect": "Allow",
      "Action": [
          "s3:PutObject",
          "s3:PutObjectAcl"
        ],
        "Resource": [
         "arn:aws:s3:::atlas-nas-backups"
        ]
      }
   ]
}

However when I run this through the policy simulator against all actions for S3, each one fails. What am I missed that this user can't write objects to the bucket? I don't want this user to have access to any other AWS resources other than the ability to backup files to a specific bucket.

Upvotes: 0

Views: 881

Answers (2)

Stefanos Chrs
Stefanos Chrs

Reputation: 2528

A minimal policy for backup only requires PutObject and ListBucket.

Why ListBucket? If you only add PutObject aws will complain that it's missing the ListObjects permission.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::atlas-nas-backups/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::atlas-nas-backups"
        }
    ]
}

Upvotes: 0

Rodrigo Murillo
Rodrigo Murillo

Reputation: 13648

There is quirk with bucket permissions, where you need to specify the bucket itself and its keys separately, using the /* wildcard specification. Additionally, even for a write operation, a List action may be required.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1465916250000",
      "Effect": "Allow",
      "Action": [
          "s3:PutObject",
          "s3:PutObjectAcl",
          "s3:ListBucket",
          "s3:GetBucketLocation"
        ],
        "Resource": [
         "arn:aws:s3:::atlas-nas-backups",
         "arn:aws:s3:::atlas-nas-backups/*"
        ]
      }
   ]
}

I also added the "s3:GetBucketLocation" and "s3:ListBucket" actions. As previously noted, even if you are only writing objects, the service may want to list the item and get the location (region) of the bucket. You may not need these last two, but just wanted to show you them just in case.

Upvotes: 2

Related Questions