Easy Multi-User S3 Policy

I recently had to set up multiple users and buckets in the Amazon Simple Storage Service (S3) and I wanted an easy way to set up permissions. This IAM group policy does the following:

Group members can:

  • list all buckets;
  • have full access to buckets named with their username as a prefix (eg: user amin can access buckets amin-data, amin-backup, etc);
  • not access any other buckets

This achieves a homedir-style system with very little effort. I hope this helps someone!

{
  "Version": "2012-10-17",
  "Statement": [
    {
       "Action":["s3:ListAllMyBuckets" ],
       "Effect":"Allow",
       "Resource":["arn:aws:s3:::*"]
    },
    {
       "Action":["s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ],
       "Effect":"Allow",
       "Resource":["arn:aws:s3:::${aws:username}*"]
    }
  ]
}

Dialogue & Discussion