Uploading files to Amazon S3 bucket from different user accounts

Question

I need to upload files to Amazon S3 bucket from my MVC .NET Core C# application. How can I organize this process so that different users of my app can't get access to each other files?

I guess they all should share one bucket, I can't create bucket for each user? But what should I specify in order each user of my application could download/list only his/her own files?

Answer 1

Why do you need to create a single bucket? As for my understanding is perfectly fine to create one by user.

Anyway,if you really need a single bucket you can use folder-level permissions through the IAM policies.

Here is how it will look a policy for one user:

The bucket name is mycompany
The user is David
The folder for each user is /home/name

The policy is allowing first to list the buckets, then is allowing listing folder /home and /home/name . And finally, all actions are allowed inside the folder /home/name

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","home/", "home/David"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::my-company/home/David/*"]
   }
 ]
}

You can find a good step-by-step explanation and how to here