Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

In this post, we’ll address a common question about how to write an AWS Identity and Access Management (IAM) policy to grant read-write access to an Amazon S3 bucket. Doing so helps you control who can access your data stored in S3.

You can grant either programmatic access or AWS Management Console access to S3 resources. For example, you might grant programmatic access to an application that reads and writes data gathered from a website to an S3 bucket. With console access, users who interact with S3 to download and upload files can use a web-based GUI instead of constructing API calls. Let’s walk through two different policies: one that grants programmatic access and another that grants console access.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
      "Effect": "Allow",
      "Action": [
      "Resource": ["arn:aws:s3:::test/*"]

The policy is separated into two parts because the ListBucket action requires permissions on the bucket while the other actions require permissions on the objects in the bucket. We used two different Amazon Resource Names (ARNs) to specify bucket-level and object-level permissions. The first Resource element specifies arn:aws:s3:::test for the ListBucket action so that applications can list all objects in the test bucket. The second Resource element specifies arn:aws:s3:::test/* for the GetObject, PutObject, and DeletObject actions so that applications can read, write, and delete any objects in the test bucket.

We did not combine the two ARNs by using a wildcard, such as arn:aws:s3:::test*. Even though this ARN would grant permissions for all actions in a single statement, it is broader and grants access to any bucket and objects in that bucket that begin with test, like test-bucket or testing.

Full article at: