I'm trying to set up IAM users who can only upload files to their specific folders within a central S3 bucket using the console, without granting any other access. I've created an inline IAM policy that allows putObject and list permissions specifically for this bucket, but it seems to only work with the AWS CLI. I asked around and got mixed advice, but I'm still not sure how to restrict console access effectively. Has anyone encountered this issue and found a solution?
3 Answers
Just a heads up, the console and CLI share the same API calls, so it's tricky to restrict users to only using the console without unintentionally allowing CLI or API access as well. We handled it by creating a Windows jump box on AWS, limiting access to the IAM policy based on the IP of that box. Users RDP into the jump host and then can use the console there. It’s a bit of a hassle to manage, but it satisfies the security folks.
To set up console access for IAM users, start by creating the IAM users with console access. In the IAM policy, grant them list and get permissions for the bucket and its contents. After that, add the put permission specifically for the folders they are allowed to access. This way, they can only interact with their designated spaces in the bucket without accessing anything else.
Exactly! Plus, if you're worried about users accessing their permissions via the CLI, be sure not to generate any credentials for them.
It sounds like you've set up most of it correctly, but you need to ensure that the policy specifically allows actions based on the user's requirements. If a user can access files they shouldn't be able to, there might be a problem with your current policy setup. If you could share the JSON of your policy and describe any extra access that needs to be removed, that could help diagnose the issue better.
I actually tried this approach, but it didn't work as expected. The requirements seem to be more complex.