How can I grant a user Amazon S3 console access to only a certain bucket or folder?

Short description

Change a user's AWS Identity and Access Management (IAM) permissions to limit the user's Amazon S3 console access to a certain bucket or folder (prefix):

1.    Remove permission to the s3:ListAllMyBuckets action.

2.    Add permission to s3:ListBucket only for the bucket or folder that you want the user to access. To allow the user to upload and download objects from the bucket or folder, you must also include s3:PutObject and s3:GetObject.

Resolution

1.    Open the IAM console.

2.    Select the IAM user or role that you want to restrict access to.

3.    In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.

4.    In the JSON policy document, search for the policy that grants the user permission to the s3:ListAllMyBuckets action or to s3:* actions (all S3 actions).

5.    Modify the policy to remove permission to the s3:ListAllMyBuckets action.

Note: If an attached user policy allows s3:* or Full Admin access with the "*" resource, then the policy includes the s3:ListAllMyBuckets permissions. Remove the "*" resource. Then, use one of the following example policies.

6.    Add permission to s3:ListBucket only for the bucket or folder that you want the user to access from the console.

The following example policy is for access to an S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
    }
  ]
}

The policy allows the user to perform the s3:ListBucket, s3:PutObject, and s3:GetObject actions only on DOC-EXAMPLE-BUCKET.

The following example policy grants access to a folder. The policy allows the user to perform the s3:ListBucket, s3:ListBucketVersions, s3:PutObject, s3:GetObject, and s3:GetObjectVersion actions only on folder2 within DOC-EXAMPLE-BUCKET. Use s3:ListBucketVersions, s3:GetObjectVersion and s3:GetBucketVersioning only if the bucket has versioning, and you want users to have access to prior versions of objects.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToAccessFolder2Only",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/folder1/folder2/*"
      ]
    },
    {
      "Sid": "AllowListOfBucketOnlyOnPrefix",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketVersions"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "folder1/folder2/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowListVersionOnObjectDetails",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketVersioning"
      ],
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ]
    }
  ]
}

7.    Provide the user with a direct console link to the S3 bucket or folder.

Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The user must use a direct console link to access the bucket or folder. 

The following link is an example of a direct console link to an S3 bucket:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/

The following link is an example of a direct console link to a folder:

https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/folder1/folder2/

Related information

User policy examples