Background

Recently, due to our customer-facing project refactoring, we decided to store frontend static resources on AWS S3 service and distribute them through CDN. This reduces the traffic pressure on the main site while improving user access speed.

Currently, the Access ID we use on the backend has full permissions, so we need to define a user who can only access specific directories. This prevents frontend colleagues from operating on other object files.

Specifying Policies for Users

Log in to the AWS console, visit the Identity and Access Management page, and click on the User menu on the right.

Then, in the user list, click on the user who needs access policy settings to enter the details page. In the user permissions tab, click Add inline policy. Then copy the following JSON policy content to the JSON editor in your policy editor.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadBucketObjects",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "SPECIFIC_PATH"
                    ]
                }
            }
        },
        {
            "Sid": "WriteStaticObjects",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME/SPECIFIC_PATH/*"
            ]
        }
    ]
}

In the policy above, you only need to replace BUCKET_NAME with your actual bucket name and SPECIFIC_PATH with the specified path according to your situation.

For example, if you only allow users to access the templates directory in a bucket named static, you can replace BUCKET_NAME and SPECIFIC_PATH accordingly.

Special Case

After I assigned the policy to a user and logged in using the Transmit GUI client, I found that I could still access all objects in the bucket and delete them, as if the policy had not taken effect.

After multiple tests and investigations, I discovered that it was because the ACL settings in the bucket permissions had checked all permissions for the Authenticated Users group (anyone with an AWS account). This allows access to the entire bucket even without any assigned policies.

I hope this is helpful, Happy hacking…