AWS S3 IAM policy multiple buckets

Question

We want to create logical folders within a bucket but not more than for 100 buckets. Assuming that we only have only one AWS account, we want to distribute the uploaded documents among those 100 buckets. What would be the best practice to enforce a IAM policy for all buckets, so that having multiple users, only the document creator, may view/delete the uploaded document?

Tks.

Answer 1

I'm not sure that I fully understand your use case. Why do you want to distribute your buckets among your users?

Regarding the best practices for using IAM for "home directory" for a user, you can find in AWS Docs :

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
      "s3:DeleteObject","s3:DeleteObjectVersion"],
      "Resource":"arn:aws:s3:::my_bucket/home/user_name/*"
   }
   ]
}

Answer 2

As mentioned by @Guy , folders per user is better than buckets per user, but in either case you can use the policy variable ${aws:username} for one rule rather than multiple rules. See example in their documentation .

In your case, I think you could put it in the bucket arn like:

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:*"],
      "Resource":"arn:aws:s3:::bucket-for-${aws:username}/*"
   }]
}