         | Did this page help you? Yes No Tell us about it... |
Using IAM Policies
Topics
AWS Identity and Access Management (IAM) enables you to create multiple users within your AWS account, assign them security credentials, and manage their permissions. You manage user permissions via IAM policies. These policies are attached to the users, enabling centralized control of permissions for users under your AWS account.
Amazon S3 supports resource-based permissions on objects and buckets using access control list (ACL) and bucket policies. The ACLs and bucket policies are attached to buckets and objects defining which AWS accounts (or other groups of actors) have access and the type of access.
You can use both of these in conjunction with IAM user policies to control access to your Amazon S3 resources. The following table summarizes similarities and differences between ACLs, bucket policies, and IAM policies.
| Type of Access Control | AWS Account-Level Control? | User-Level Control? | Format |
|---|---|---|---|
|
ACLs |
Yes |
No |
Special XML-based format defined by Amazon S3 |
|
Bucket policies |
Yes |
Yes |
Access policy language |
|
IAM policies |
No |
Yes |
Access policy language |
With ACLs, you can only grant other AWS accounts access to your Amazon S3 resources. With IAM policies, you can only grant users within your own AWS account permission to your Amazon S3 resources. With bucket policies, you can do both.
This section describes how IAM works with bucket policies and ACLs.
IAM and Bucket Policies Together
When someone sends a request to use your AWS account's Amazon S3 resources, we evaluate all applicable ACLs, bucket policies, and IAM policies together to determine whether to give the requester access.
Although you can still use ACLs to grant permission, this section focuses on how to use IAM
policies and bucket policies to give users in your AWS account
permissions to access your Amazon S3 resources. You can use bucket policies, IAM
policies, or both. For the most part, you can achieve the same results with either. For
example, the following diagram shows an IAM policy and a bucket policy that are
equivalent. The IAM policy (on the left) allows the Amazon S3
PutObject action for the bucket called bucket_xyz in your AWS
account, and it's attached to the users Bob and Susan (which means Bob and Susan have
the permissions stated in the policy).
The bucket policy (on the right) is attached to bucket_xyz. As with the IAM policy,
the bucket policy gives Bob and Susan permission to access
PutObject on bucket_xyz.
![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png) | Note |
|---|---|
The preceding example shows simple policies with no conditions. You could specify a particular condition in either policy and get the same result. |
IAM policies lets you manage access to your Amazon S3 resources based on user; whereas bucket policies let you manage access based on the specific resources. The following examples further illustrate how the two policy systems work together.
Example 1
In this example, Bob has both an IAM policy and a bucket policy that
apply to him. The IAM policy gives him permission to use
PutObject on bucket_xyz, whereas the bucket policy gives
him permission to use ListBucket on that same bucket. The
following diagram illustrates the concept.
If Bob were to send a request to put an object into bucket_xyz, the IAM policy would allow the action. If Bob were to send a request to list the objects in bucket_xyz, the bucket policy would allow the action.
Example 2
In this example, we build on the previous example (where Bob has two policies that apply to him). Let's say that Bob abuses his access to bucket_xyz, so you want to remove his entire access to that bucket. The easiest thing to do is add a policy that denies him access to all actions on the bucket. This third policy overrides the other two, because an explicit deny always overrides an allow (for more information about policy evaluation logic, see Evaluation Logic). The following diagram illustrates the concept.
Alternatively, you could add an additional statement to the bucket policy that denies Bob any type of access to the bucket. It would have the same effect as adding a IAM policy that denies him access to the bucket.
For examples of policies that cover Amazon S3 actions and resources, see Example Policies for Amazon S3. For more information about writing S3 policies, go to the Amazon Simple Storage Service Developer Guide.
Permissions for Resource Creator
Amazon S3 by default gives the AWS account that created the bucket or object full permissions on that resource. However, if a user (not the AWS account) creates a bucket or object, that user doesn't by default have permission to perform other actions on that resource. The user must be granted the additional permissions in an IAM policy.
Amazon S3 ARNs
For Amazon S3, the resources you can specify in a policy are buckets and objects. The Amazon Resource Name (ARN) follows this format:
arn:aws:s3:::bucket_name/key_namewhere arn:aws:s3:::bucket_name refers only to the bucket,
and the entire string arn:aws:s3:::bucket_name/key_name refers to the object.
For example:
arn:aws:s3:::example_bucket/developers/design_info.doc
The Region and AWS Account ID portions of the ARN must be empty because bucket names are global.
Amazon S3 Actions
The Amazon S3 actions that you can specify in a policy are divided into groups based on the type of resource.
Actions Related to Objects
s3:GetObject(covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAPGetObject, and SOAPGetObjectExtended)s3:GetObjectVersion(covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAPGetObject, and SOAPGetObjectExtended)s3:PutObject(covers the REST PUT Object, REST POST Object, REST Initiate Multipart Upload, REST Upload Part, REST Complete Multipart Upload, SOAPPutObject, and SOAPPutObjectInline)s3:GetObjectAcls3:GetObjectVersionAcls3:PutObjectAcls3:PutObjectVersionAcls3:DeleteObjects3:DeleteObjectVersions3:ListMultipartUploadPartss3:AbortMultipartUpload
Actions Related to Buckets
s3:CreateBuckets3:DeleteBuckets3:ListBuckets3:ListBucketVersionss3:ListAllMyBuckets(covers REST GET Service and SOAPListAllMyBuckets)s3:ListBucketMultipartUploads
Actions Related to Bucket Sub-Resources
s3:GetBucketAcls3:PutBucketAcls3:GetBucketVersionings3:PutBucketVersionings3:GetBucketRequesterPayss3:PutBucketRequesterPayss3:GetBucketLocations3:GetBucketPolicys3:PutBucketPolicys3:GetBucketNotifications3:PutBucketNotifications3:GetBucketLoggings3:PutBucketLoggings3:GetLifecycleConfigurations3:PutLifecycleConfiguration
You can delete objects by explicitly calling the DELETE Object API or configure its
lifecycle (see Object Expiration) to
enable Amazon S3 to remove them for you. If you want to block users or accounts from
removing or deleting objects from your bucket you must deny them
s3:DeleteObject, s3:DeleteObjectVersion and
s3:PutLifecycleConfiguration actions.
Amazon S3 Policy Keys
Policy keys let you restrict access to resources based on information other than just the API action being requested. They let you restrict access based on contextual information about the request, such as the IP address of the requester, the time and date of the request, etc. Amazon S3 has a rich integration with IAM that lets you restrict access based on a wide variety of contextual information about the request. For example, you can restrict access based on values of general HTTP headers or Amazon S3-specific headers in the request. This section lists the policy keys available for you to use with policies that restrict access to your AWS account's Amazon S3 resources. For more information about policy keys, see Condition.
Amazon S3 implements the AWS-wide policy keys in the following table.
Available Keys
AWS provides a set of common keys supported by all AWS products that adopt the access policy language for access control. These keys are:
aws:CurrentTime—Key to use with date conditions to restrict access based on request time. For date/time conditions (see Date Conditions)aws:SecureTransport—Boolean representing whether the request was sent using SSL (see Boolean Conditions)aws:SourceIp—The requester's IP address, for use with IP address conditions (see IP Address)aws:UserAgent—Information about the requester's client application, for use with string conditions (see String Conditions)aws:EpochTime—Number of seconds since epoch.aws:Referer—Same as the HTTPrefererfield.
The key names are case insensitive. For example, aws:CurrentTime is
equivalent to AWS:currenttime.
| Note |
|---|---|
If you use |
Each AWS service that uses the access policy language might also provide service-specific keys. For a list of service-specific keys you can use, see Special Information for Amazon S3 Policies.
Amazon S3 also has action-specific policy keys. They're grouped by resource type and applicable action in the following tables. Some policy keys are applicable to more than one resource type or action.
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|---|
IAM cannot evaluate a policy for validity within Amazon S3. If you specify an invalid key/action combination in the policy, IAM doesn't throw an error when you upload the policy to IAM. Also, you will not receive an error message from Amazon S3. Amazon S3 can determine only that the policy doesn't apply because it cannot fulfill the conditions. However, if you use a policy condition in an unexpected way (for example, you use a string field as a numeric comparison), Amazon S3 will throw an exception on the request and access will be denied. |
Unless otherwise noted, each key is for use with the access policy language's string conditions (for more information, see String Conditions).
Object Keys in Amazon S3 Policies
The following list shows the keys related to objects that can be in Amazon S3 policies.
| Action | Applicable Keys | Description |
|---|---|---|
|
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: |
|
|
The header that specifies the name of the source bucket and key name of the source object, separated by a slash (/). Used when copying an object. Example value: | |
|
|
The header that specifies whether the metadata is copied from the source object or replaced with metadata provided in the request. If copied, the metadata, except for the version ID, remains unchanged. Otherwise, all original metadata is replaced by the metadata you specify. Used when copying an object. Valid values: Example value: | |
|
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: |
|
|
|
The version ID of the object being retrieved. Example value: |
|
|
|
The version ID of the object ACL being retrieved. Example value: |
|
|
|
The version ID of the object ACL being PUT. Example value: |
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: | |
|
|
|
The version ID of the object being deleted. Example value: |
Bucket Keys in Amazon S3 Policies
The following table shows the keys related to buckets that can be in Amazon S3 policies.
| Action | Applicable Keys | Description |
|---|---|---|
|
|
|
The Amazon S3 canned ACL that is applied to the bucket. A canned ACL represents a predefined permission that can be applied to the bucket being created. Valid values: Example value: |
|
|
Specifies the Region where the bucket will be created. Valid values are
Example value: | |
|
|
|
Limits the response to objects that begin with the specified prefix. Use this to allow or deny access to objects that begin with the prefix. Example value: |
|
|
The character you use to group objects. Example value: | |
|
|
The number of objects to return from the call. The maximum allowed value (and default) is 1000. For use with access policy language numeric conditions (for more information, see Numeric Conditions). Example value: | |
|
|
|
Header that lets you limit the response to include only keys that begin with the specified prefix. Example value: |
|
|
The character you use to group objects. Example value: | |
|
|
The number of objects to return from the call. The maximum allowed value (and default) is 1000. For use with access policy language numeric conditions (for more information, see Numeric Conditions). Example value: | |
|
|
|
The Amazon S3 canned ACL that is applied to the bucket. A canned ACL represents a predefined permission that can be applied to the bucket being created. Valid values: Example value: |
Example Policies for Amazon S3
This section shows several simple IAM policies for controlling user access to Amazon S3.
| Note |
|---|---|
In the future, Amazon S3 might add new actions that should logically be included in one of the following policies, based on the policy’s stated goals. |
Example 1: Allow each user to have a home directory in Amazon S3
In this example, we create a policy that we'll attach to the user named Bob. The policy gives Bob access to the following home directory in Amazon S3: my_corporate_bucket/home/bob. Bob is allowed to access only the specific Amazon S3 actions shown in the policy, and only with the objects in his home directory.
{
"Statement":[{
"Effect":"Allow",
"Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
"s3:DeleteObject","s3:DeleteObjectVersion"],
"Resource":"arn:aws:s3:::my_corporate_bucket/home/bob/*"
}
]
}Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket
This example builds on the previous example that gives Bob a home directory. To
give Bob the ability to list the objects in his home directory, he needs access to
ListBucket. However, we want the results to include only
objects in his home directory, and not everything in the bucket. To restrict his
access that way, we use the policy condition key called s3:prefix with
the value set to home/bob/*. This means that only objects with a prefix
home/bob/* will be returned in the ListBucket
response.
{
"Statement":[{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::my_corporate_bucket",
"Condition":{
"StringLike":{
"s3:prefix":"home/bob/*"
}
}
}
]
}Example 3: Allow a group to have a shared directory in Amazon S3
In this example, we create a policy that gives the group access to the following directory in Amazon S3: my_corporate_bucket/share/marketing. The group is allowed to access only the specific Amazon S3 actions shown in the policy, and only with the objects in the specific directory.
{
"Statement":[{
"Effect":"Allow",
"Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
"s3:DeleteObject","s3:DeleteObjectVersion"],
"Resource":"arn:aws:s3:::my_corporate_bucket/share/marketing/*"
}
]
}Example 4: Allow all your users to read objects in a portion of the corporate bucket
In this example we create a group called AllUsers and put all
the AWS account's users in the group. We then attach a policy that gives the group
access to GetObject and GetObjectVersion,
but only for objects in the my_corporate_bucket/readonly directory.
{
"Statement":[{
"Effect":"Allow",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::my_corporate_bucket/readonly/*"
}
]
}Example 5: Allow a partner to drop files into a specific portion of the corporate bucket
In this example, we create a group called WidgetCo that represents the partner company, then create a user for the specific person (or application) at the partner company who needs access, and then put the user in the group.
We then attach a policy that gives the group PutObject access
to the following directory in the corporate bucket:
my_corporate_bucket/uploads/widgetco.
We also want to prevent the WidgetCo group from doing anything else with the bucket, so we
add a statement that denies permission to any Amazon S3 actions except
PutObject on any Amazon S3 resource in the AWS account.
This is only necessary if there's a broad policy in use elsewhere in your AWS
account that gives users wide access to Amazon S3.
{
"Statement":[{
"Effect":"Allow",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
},
{
"Effect":"Deny",
"NotAction":"s3:PutObject",
"Resource":["arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"]
},
{
"Effect":"Deny",
"Action":"s3:*",
"NotResource": ”arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
}]
}
