I came here looking for how to restrict access to a bucket to one (or a list of) user(s). Maybe, post title is ambiguous ?
Anyway, it seems to have Google's favor, so let's enrich it a little :
If you need to restrict access to a bucket to some user(s), follow those steps :
First, get the IDs of the user you want to grant rights to.
This can be achieved using the awscli command aws iam list-users
Those IDs look like this : "AIDAIFKYAC9DNJXM2CRD", or "AIDAZ362UEKJCJMFFXCL"
Please, comment if it's available in the web console.
Once you got the ID(s) that must be given access, put a policy on the bucket you want to protect.
To do this with the web console :
-> Open S3 -> Open your bucket -> Select the "properties" tab -> Click on "Edit bucket policy"
To apply the policy using awscli, create a file with the policy's content, and put it on your bucket using this command :
aws s3api put-bucket-policy --bucket NAME_OF_YOUR_BUCKET --policy file:///path/to/policyFile.json
Of course, set YOUR_BUCKET_NAME and the file's path to your values, BUT DON'T remove the file:// prefix before your file's name
Warning : this deny policy will override the default "access to s3" a user could have. This means you can deny access to your OWN user with this. Use with caution !
I'm even afraid you could make a bucket fully innaccessible.
Out of curiosity, I tried accessing with our account's root user, which I didn't grant access to, and effectively couldn't.
Gotta ask this to support, and hopefully update this answer.
Anyway, I'm sure you'll be careful enough, so here's a sample policy.
Just replace the bucket's name with yours and the userId(s) with the one(s) you want to authorize to access.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDAXAXAXAXAXAXAXAXAX",
"AIDAOXOXOXOXOXOOXOXOX",
"AIDAXIXIXIXIXIXIXIXIX"
]
}
}
}
]
}
For something more specific, or if you want to use roles instead of users, see this AWS post explaining in detail how to restrict access to a buckets
Hope this helps