Amazon S3: Allows IAM users access to their S3 home directory, programmatically and in the console
This example shows how you might create an identity-based policy that allows IAM users to access their own home directory bucket object
in S3. The home directory is a bucket that includes a home folder and folders
for individual users. This policy defines permissions for programmatic and console access. To use this policy, replace the italicized placeholder text in the example policy with your own information.
Then, follow the directions in create a policy or edit a policy.
This policy will not work when using IAM roles because the aws:username
variable is not available when using IAM roles. For details about principal key values,
see Principal key values.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3ConsoleAccess", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:ListAccessPoints", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket", "Condition": { "StringLike": { "s3:prefix": [ "", "home/", "home/${aws:username}/*" ] } } }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}", "arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}/*" ] } ] }
