How do you create an AWS IAM which only has permissions on a specific bucket?


Permission on specific bucket

When backing up data to AWS S3 storage, you need to create an IAM account to access the created S3 bucket. By default, our document recommends creating an IAM account with a predefined “AmazonS3FullAccess” policy to simplify the IAM account creation process.

However, some organizations may feel unsafe creating an account with full access to all S3 buckets. Creating an IAM account which only has permissions on a specific S3 bucket is a better solution with fine-grained security.

When creating an IAM user, on the “Create group” page, click “Create policy”.  Then select the “JSON“ tab in the “Create policy” page, and paste the following code (please replace “your-bucket-name” with the real bucket name).  This will create a policy that has only permissions to that specific bucket. 

{
    "Version": "2012-10-17",
    "Statement": [
       {
         "Effect": "Allow",
         "Action": [
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets"
         ],
         "Resource": "arn:aws:s3:::*"
       },
       {
         "Effect": "Allow",
         "Action": "s3:*",
         "Resource": [
           "arn:aws:s3:::your-bucket-name",
           "arn:aws:s3:::your-bucket-name/*"
         ]
       }
   ]
}

That is, you need to create the specific policy described above for a group, and then add the IAM user to the group.