Restricting an IAM User to a Sub Folder in Amazon S3

Do you want to use multiple IAM users with a single S3 bucket but don’t want the users to access each other’s files? You can craft a S3 bucket policy to limit a user to a specific S3 sub folder. The following will show you how to create a bucket policy and use SprightlySoft S3 Sync to work with that sub folder.

First find the User ARN of the user you want to restrict access to. You can find this in the AWS Management Console. Below is a screen shot of User ARN for a user called myuser.
RestrictUser1User

Next go to the properties bucket you want to use in the AWS Management Console. In this example we will use a bucket called bucketwithpolicy. On the properties page click “Add bucket policy”.
RestrictUser2Bucket

Below is the bucket policy to restrict the myuser user to a folder called subfolder/ in the bucketwithpolicy bucket. You will need to replace the user ARN, bucket name, and sub folder name if you would like to use the policy.

{
  "Statement": [
    {
      "Sid": "myuserBucketActions",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucketwithpolicy",
      "Principal": {
        "AWS": [
          "arn:aws:iam::657267205342:user/myuser"
        ]
      }
    },
    {
      "Sid": "myuserListBucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucketwithpolicy",
      "Condition": {
        "StringLike": {
          "s3:prefix": "subfolder/*"
        }
      },
      "Principal": {
        "AWS": [
          "arn:aws:iam::657267205342:user/myuser"
        ]
      }
    },
    {
      "Sid": "myuserObjectActions",
      "Action": [
		"s3:AbortMultipartUpload",
		"s3:DeleteObject",
		"s3:GetObject",
		"s3:GetObjectAcl",
		"s3:PutObject",
		"s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucketwithpolicy/subfolder/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::657267205342:user/myuser"
        ]
      }
    }
  ]
}

In the policy above the first statement allows the user to execute the GetBucketLocation and ListBucketMultipartUploads commands on the bucket.

The next statement allows the user to list files in the bucket where the prefix is subfolder/.

The last statement allows the user to perform actions within the sub folder within the bucket.

To read more about bucket policies see http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html

Take the bucket policy you created and enter it in the AWS Management Console.
RestrictUser3Policy

Now that your bucket policy is applied, the user has access to the sub folder within the bucket. The user can not use S3 Sync to upload or download files from that sub folder. The user will not be able to access any other folder in the bucket.

Below is a screen shot of configuring S3 Sync using the command line wizard.

The command line to run S3 Sync will be similar to the one below.

"C:\Program Files (x86)\SprightlySoft\S3 Sync\S3Sync.exe" -AWSAccessKeyId xxxxxxxxxxxxxxxxxxxx -AWSSecretAccessKey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -BucketName bucketwithpolicy -S3FolderKeyName subfolder/ -SyncDirection Upload -LocalFolderPath C:\Temp\bucketwithpolicy\subfolder

When the user runs the S3 Sync command line their files will be transferred.