Skip to main content
Background Image

S3 Service

·125 words·1 min
AWS

Bucket Policy
#

An IAM principal can access an S3 object if

  • The user IAM permissions ALLOW it OR the resource policy ALLOWS it.
  • AND there’s no explicit DENY

Here is a example to allow all users in the account to access a specific S3 bucket, but deny a specific user from accessing it.

First, we define a bucket policy to allow access to the bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/*"
      }
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

If we don’t want the user1 to access the bucket, we can add a policy in the user1’s IAM policy to explicitly deny access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}