Easy Multi-User S3 Policy

I recently had to set up multiple users and buckets in the Amazon Simple Storage Service (S3) and I wanted an easy way to set up permissions. This IAM group policy does the following:

Group members can:

list all buckets;
have full access to buckets named with their username as a prefix (eg: user amin can access buckets amin-data, amin-backup, etc);
not access any other buckets

This achieves a homedir-style system with very little effort. I hope this helps someone!

{
  "Version": "2012-10-17",
  "Statement": [
    {
       "Action":["s3:ListAllMyBuckets" ],
       "Effect":"Allow",
       "Resource":["arn:aws:s3:::*"]
    },
    {
       "Action":["s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ],
       "Effect":"Allow",
       "Resource":["arn:aws:s3:::${aws:username}*"]
    }
  ]
}

2014-01-02

Dialogue & Discussion