Nick's Blog

How to create an IAM policy with Read and List permission for specific S3 buckets

You may come across the situation which only need to give permission for specific S3 buckets. The goal is to make the less privilege, but also get the work done properly.

The action actually is really simple and straight. You just need to create a IAM policy like below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1",
                "arn:aws:s3:::bucket2"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1/*",
                "arn:aws:s3:::bucket2/*"
            ]
        }
    ]
}

And then, create a new user with an existing policy. point the new created policy to the user. and download the credential.

One thing need to pay attention is; inside of the IAM policy you have to make sure you give the ListBucket policy first. And make another statement to give the GetObject permission. So that are two steps, rather than one statement with all.