By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to give read only access to Bucket in S3?

0

AWS S3 and I have a bucket in there that I need to give access to users but so they can only view an download all files but not delete or upload new ones.

How do I give read only access?

What's the easy and fast way to do this? Thanks

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
PeteRoy
asked 3 months ago334 views
4 Answers
2

I would suggest GetObject and ListObject. Here's an example below. You can also add a denial for PutObject and DeleteObject.

{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/Dave"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::awsexamplebucket1/*",
                "arn:aws:s3:::awsexamplebucket1"
            ]
        }
    ]
}

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html

profile pictureAWS
EXPERT
David
answered 3 months ago
profile picture
EXPERT
Gary Mclean
reviewed 3 months ago
2

You'd want to put explicit deny on all the actions, that you don't want users to perform on this bucket, however you'd want to exclude yourself or set of other users/roles out of this restriction. Hence your bucket policy would look like something as below:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Deny delete and put to all except certain users/roles",
               "Action": [
                   "s3:DeleteBucket",
                   "s3:DeleteObject",
                   "s3:DeleteObjectVersion",
                   "s3:PutObject"
               ],
               "Resource":"arn:aws:s3:::mybucket/*",
               "Effect": "Deny",
               "NotPrincipal": {
                    "AWS": "arn:aws:iam::<account_id>:user/<user_name>",
                   "AWS": "arn:aws:iam::<account_id>:role/<role_name>"
               }
           },
           {
               "Sid": "Allow get object access to everyone",
               "Action": [
                   "s3:ListBucket",
                   "s3:GetObject"
               ],
              "Resource":[
                      "arn:aws:s3:::mybucket",
                      "arn:aws:s3:::mybucket/*"
                      ]
               "Effect": "Allow",
               "Principal": "*"
           }
       ]
   }

For more details, refer Bucket policy examples.

Hope this helps, comment here if you have additional questions.

profile pictureAWS
EXPERT
secondabhi_aws
answered 3 months ago
profile picture
EXPERT
Gary Mclean
reviewed 3 months ago
1

By default when you create a bucket aws s3 security policy is to deny actions on objects for this bucket, I would recommend the same thing as David, otherwise use the bucket policy generator if you are not familiar with json format. https://awspolicygen.s3.amazonaws.com/policygen.html

Olfa LavieEstBelle
answered 3 months ago
  • PeteRoy
    3 months ago

    I'm sorry I still don't understand what is my process.

    Do I need to do the following?

    1. Create a user in IAM?
    2. Give the user permission?
    3. Ask the user to download Software like CyberDuck to view the S3 bucket?

    I would prefer if I could give the user a link and he will simply use credentials to login and view all the links in the bucket.

    Thank you

0

I don't know how to use these commands. At our orgnaization we use Amazon S3 because of the CDN, it replaced the FTP server we had which was too slow.

Is there a method to make the S3 behave like an FTP website where a user can simply go to a link and see all the download links in the S3 bucket?

Thank you

PeteRoy
answered 3 months ago
  • secondabhi_aws EXPERT
    3 months ago

    You have to go to s3 console, select your s3 bucket and go to Permissions -> Bucket Policy, Edit bucket policy and add bucket policy based on your requirement. Policy example, which I gave above is for the use case that you mentioned, you would still need to replace some of the details such as bucket name, IAM user/role details.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content