IAM Policy
This docs cover to create the iam policy for s3 bucket for folder level access.
- Create policy with below json and do the required changes.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllBucketViewAccessOnS3Console",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowListSpecificBucketsPaths",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucketName"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"brandName",
"brandName/*"
]
}
}
},
{
"Sid": "AllowObjectSpecificActions",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectVersionAcl",
"s3:GetBucketCORS",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::bucketName/brandName/*"
]
}
]
}
- Take reference from above json & change the bucketName with your bucket and brandName with your brand name.
- Add/remove permissions as per the required use case. for example this policy is read_write, if someone need delete operation then you can add only after approval from devops lead.
- Then add the tags in below format in the form of key value.
- Brand = brandName
- Bucket1 = bucketName
- Bucket1_Path1 = bucketName/brandName/
- Also, you can take ref from existing brand policy.
- Follow the naming convention for policy as shown below.
- Naming would be as per use case like read, read_write, read_write_delete. for example if policy is read write then name would be
s3_limited_read_write_brandName. - Then add the description with below content and change the brandName with your brand name.
Limited read-write access to s3 buckets used for brand brandName. Buckets are mentioned in tags.
- Naming would be as per use case like read, read_write, read_write_delete. for example if policy is read write then name would be