How to restrict the user to download data from amazon S3 usin IAM?

Question

• I have many buckets and none of them should allow anonymous access
• The user I have added must have access to one bucket only and should be able to enter any other bucket
• The user must NOT be able to add/modify/delete buckets
• The user should be able to list files in his bucket
• The user must NOT be able to download files from the buckets The user should be able to add files in the bucket

please suggest

Answer 1

It sounds like your requirements are:

• You have multiple IAM Users
• Each user will have their own bucket
• Users can list the contents of their bucket and upload files to their bucket
• Users cannot do anything else to the objects in their bucket, nor to the bucket itself

To do this, you will want to create a policy for each IAM User.

The policy would look something like:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::Ahito-Bucket"
      }
   ]
}

See: User Policy Examples - Amazon Simple Storage Service

An alternative method is to have all users share one bucket, but create a policy that limits users to their own directory.

See: IAM Policy Elements: Variables - AWS Identity and Access Management