I need S3 storage for a number of use cases. I typically create a new IAM user for each use. What I don’t like is that the default S3FullAccess policy unsurprisingly gives that user full access to ALL of my S3 buckets.
While this might be fine if the user will be for my local machine’s AWS CLI package it is not acceptable for a service like a plugin that backs up a WordPress website to S3. If the WordPress site is ever compromised I could lose all my data in all my S3 buckets.
Fortunately it is relatively simple to restrict an IAM user’s S3 access to a single bucket.
Here is the policy I am using from here, which I can confirm does work. (Something I cannot say for the official Amazon article on the same subject.)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}