Sample IAM Policies for AWS S3

Edit online

This article contains sample AWS S3 IAM policies with typical permissions configurations.

Configure these policies in the AWS console in Security & Identity > Identity & Access Management > Create Policy.

Policy for upload, download, and list content

The following sample IAM policy contains the minimum IAM permissions required to upload, download, or list content in an S3 bucket. Replace my_bucket with your actual S3 bucket name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464034295000",    
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my_bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::my_bucket"
      ]
    }
  ]
}

Policy to restrict users to a single folder

The following sample IAM policy restricts user access to a specific folder in the bucket. It grants minimum permissions upload, download or list content, restricted to the folder, as well as allows users to list the bucket and get its location. Replace my_bucket with your actual S3 bucket name and my_folder with the name of the folder in the bucket.

{
  "Statement": [
    {
      "Sid": "AllowUserToReadWriteObjectInFolder",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my_bucket/my_folder/",
        "arn:aws:s3:::my_bucket/my_folder/*"
      ]
    },
    {
      "Sid": "AllowGetBucketLocation",
      "Action": [
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my_bucket"
      ]
    },
    {
      "Sid": "AllowListBucketInFolder",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my_bucket"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "my_folder",
            "my_folder/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowListBucketUploads",
      "Action": [
        "s3:ListBucketMultipartUploads"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my_bucket"
      ]
    }
  ]
}