AWS S3: Setting a bucket policy for multiple users in an account

Question

I have an S3 bucket. And I have several IAM users in this account. I would like to set a bucket policy that multiple users can access this bucket.

For access to a single user, my bucket policy looks like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::8474632:user/personA"
            },
            "Action": [
                "s3:getObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:getObjectAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::thisbucket/*"
        }
    ]
}

I tried to change this line:

"AWS": "arn:aws:iam::8474632:user/personA"

to

"AWS": "arn:aws:iam::8474632:user/*"

to allow access to all users, but that doesn't work.

I could list all/some users one by one:

  "Principal": {
    "AWS": ["arn:aws:iam::111122223333:user/PersonA",
            "arn:aws:iam::111122223333:user/PersonB"]
  },

Is there a better way to allow access of a bucket to a group of users or all users?

Answer 1

Probably an alternative way of doing this would be to use an IAM policy that is attached to all users. You would create a policy like:

    "Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:GetObjectVersion",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTagging",
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:PutObjectVersionAcl"
        ],
        "Resource": [
            "arn:aws:s3:::bucket_name/*"
        ]
    }
]

}

Then add that policy to a new role, and then associate that role with the users you want access.