Walkthroughs that use policies to manage access to your Amazon S3 resources
This topic provides the following introductory walkthrough examples for granting access to Amazon S3 resources. These examples use the Amazon Web Services Management Console to create resources (buckets, objects, users) and grant them permissions. The examples then show you how to verify permissions using the command line tools, so you don't have to write any code. We provide commands using both the Amazon Command Line Interface (Amazon CLI) and the Amazon Tools for Windows PowerShell.
-
Example 1: Bucket owner granting its users bucket permissions
The IAM users you create in your account have no permissions by default. In this exercise, you grant a user permission to perform bucket and object operations.
-
Example 2: Bucket owner granting cross-account bucket permissions
In this exercise, a bucket owner, Account A, grants cross-account permissions to another Amazon Web Services account, Account B. Account B then delegates those permissions to users in its account.
-
Managing object permissions when the object and bucket owners are not the same
The example scenarios in this case are about a bucket owner granting object permissions to others, but not all objects in the bucket are owned by the bucket owner. What permissions does the bucket owner need, and how can it delegate those permissions?
The Amazon Web Services account that creates a bucket is called the bucket owner. The owner can grant other Amazon Web Services accounts permission to upload objects, and the Amazon Web Services accounts that create objects own them. The bucket owner has no permissions on those objects created by other Amazon Web Services accounts. If the bucket owner writes a bucket policy granting access to objects, the policy doesn't apply to objects that are owned by other accounts.
In this case, the object owner must first grant permissions to the bucket owner using an object ACL. The bucket owner can then delegate those object permissions to others, to users in its own account, or to another Amazon Web Services account, as illustrated by the following examples.
-
Example 3: Bucket owner granting permissions to objects it does not own
In this exercise, the bucket owner first gets permissions from the object owner. The bucket owner then delegates those permissions to users in its own account.
-
Example 4 - Bucket owner granting cross-account permission to objects it does not own
After receiving permissions from the object owner, the bucket owner can't delegate permission to other Amazon Web Services accounts because cross-account delegation isn't supported (see Permission delegation). Instead, the bucket owner can create an IAM role with permissions to perform specific operations (such as get object) and allow another Amazon Web Services account to assume that role. Anyone who assumes the role can then access objects. This example shows how a bucket owner can use an IAM role to enable this cross-account delegation.
-
Before you try the example walkthroughs
These examples use the Amazon Web Services Management Console to create resources and grant permissions. To test permissions, the examples use the command line tools, Amazon CLI, and Amazon Tools for Windows PowerShell, so you don't need to write any code. To test permissions, you must set up one of these tools. For more information, see Setting up the tools for the walkthroughs.
In addition, when creating resources, these examples don't use root user credentials of an Amazon Web Services account. Instead, you create an administrator user in these accounts to perform these tasks.
About using an administrator user to create resources and grant permissions
Amazon Identity and Access Management (IAM) recommends not using the root user credentials of your Amazon Web Services account to make requests. Instead, create an IAM user or role, grant them full access, and then use their credentials to make requests. We refer to this as an administrative user or role. For more information, go to Amazon Web Services account root user credentials and IAM identities in the Amazon Web Services General Reference and IAM Best Practices in the IAM User Guide.
All example walkthroughs in this section use the administrator user credentials. If you have not created an administrator user for your Amazon Web Services account, the topics show you how.
To sign in to the Amazon Web Services Management Console using the user credentials, you must use the IAM user sign-In
URL. The IAM Console