To provide access to an S3 bucket, you need to set permissions both at the bucket level (bucket policy) and possibly at the individual user or role level (IAM policies). Here's a step-by-step guide on how to do this:
1. Create an IAM User/Role
First, create an IAM user or role that will access the S3 bucket. For an IAM user:
- Go to the IAM console.
- Click on "Users" and then "Add user."
- Follow the prompts to create a new user and assign appropriate permissions.
For an IAM role:
- Go to the IAM console.
- Click on "Roles" and then "Create role."
- Select the trusted entity (e.g., AWS service, another account) and follow the prompts.
2. Attach a Policy to the IAM User/Role
Create a policy that grants the necessary permissions to the IAM user or role. Here's an example policy that allows full access to a specific bucket:
json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}
3. Set a Bucket Policy
To control access at the bucket level, you can set a bucket policy. Here's an example of a bucket policy that allows a specific IAM user to access the bucket:
json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:user/username"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}
4. Fine-Tune Permissions
You might want to fine-tune permissions based on the actions the user or role needs to perform. Here are some common S3 actions:
s3:ListBucket: List objects in the bucket.s3:GetObject: Download an object from the bucket.s3:PutObject: Upload an object to the bucket.s3:DeleteObject: Delete an object from the bucket.
For example, if you only want to allow read-only access to the bucket, you can use the following policy:
json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}
5. Apply the Policy
- For an IAM user, attach the policy to the user.
- For an IAM role, attach the policy to the role.
6. Additional Considerations
- Bucket ACLs: In most cases, bucket policies and IAM policies are sufficient. However, you might also use ACLs for fine-grained permissions at the object level.
- Cross-Account Access: If you need to grant access to a bucket in another AWS account, use bucket policies and IAM roles with trust relationships.
- Public Access Settings: Ensure that public access settings are configured according to your security requirements, especially if the bucket is meant to be private.
By carefully setting IAM policies and bucket policies, you can control who has access to your S3 buckets and what actions they can perform.