- Newest
- Most votes
- Most comments
I would suggest GetObject and ListObject. Here's an example below. You can also add a denial for PutObject and DeleteObject.
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*",
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html
You'd want to put explicit deny on all the actions, that you don't want users to perform on this bucket, however you'd want to exclude yourself or set of other users/roles out of this restriction. Hence your bucket policy would look like something as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny delete and put to all except certain users/roles",
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject"
],
"Resource":"arn:aws:s3:::mybucket/*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::<account_id>:user/<user_name>",
"AWS": "arn:aws:iam::<account_id>:role/<role_name>"
}
},
{
"Sid": "Allow get object access to everyone",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
"Effect": "Allow",
"Principal": "*"
}
]
}
For more details, refer Bucket policy examples.
Hope this helps, comment here if you have additional questions.
By default when you create a bucket aws s3 security policy is to deny actions on objects for this bucket, I would recommend the same thing as David, otherwise use the bucket policy generator if you are not familiar with json format. https://awspolicygen.s3.amazonaws.com/policygen.html
I don't know how to use these commands. At our orgnaization we use Amazon S3 because of the CDN, it replaced the FTP server we had which was too slow.
Is there a method to make the S3 behave like an FTP website where a user can simply go to a link and see all the download links in the S3 bucket?
Thank you
You have to go to s3 console, select your s3 bucket and go to Permissions -> Bucket Policy, Edit bucket policy and add bucket policy based on your requirement. Policy example, which I gave above is for the use case that you mentioned, you would still need to replace some of the details such as bucket name, IAM user/role details.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
I'm sorry I still don't understand what is my process.
Do I need to do the following?
I would prefer if I could give the user a link and he will simply use credentials to login and view all the links in the bucket.
Thank you