How allow s3:putobject with inline policy only for the buckets belonging to a specific AWS account ?

Question

Hi,

I use a permision set on IAM Identity Center to allow access with ReadOnly permission on several accounts. I attached the AWS managed policy "ReadOnlyAccess" on this Permission set. 
For one of these accounts, I want to allow s3:putobject by adding an Inline policy on this Permission set, but I don't know what is the right syntax to do that. How allow s3:putobject with inline policy only for the buckets belonging to a specific AWS account ?

Thx

Best regards

Benoit

Accepted Answer

You could add a condition that compares the Bucket account with the Principle's account. Something like:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1677693648738",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket/*",
      "Condition": {
        "StringEquals": {
          "s3:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    }
  ]
}
```

Answer

Hi

I replace ${aws:PrincipalAccount} with my accound ID and it's work like I need !

Thx

Best regards

Benoit

How allow s3:putobject with inline policy only for the buckets belonging to a specific AWS account ?

Relevanter Inhalt