#aws #how-to

Setup an IAM user to manage an S3 bucket

Part of: Hosting assets on S3 + Cloudfront

We can create an IAM user that only has permissions to manage a desired bucket, e.g. S3-assets-manager.

The most basic permissions would be to just list and manage objects in the entire bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::assets.example.com",
                "arn:aws:s3:::assets.example.com/*"
            ]
        }
    ]
}

More Permissions

Permission to list buckets may also be useful in some cases (e.g. if needed for an integration that's bucket-name agnostic).