Use an Amazon S3 bucket per application / application and environment

articles
,

I had a need to make sure that a particular application (technically a specific environment of an application) could only play in its own S3 bucket. I couldn't find any examples of this in the IAM documentation, so I ended up finding a similar example on the AWS forums and making some changes. Here's what I used:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketAcl",
        "s3:GetBucketVersioning",
        "s3:GetBucketRequestPayment",
        "s3:GetBucketLocation",
        "s3:GetBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME_HERE",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*",
      "Condition": {}
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Condition": {},
      "NotResource": "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*"
    }
  ]
}

Hopefully this helps others ☺