Assigning Every Amazon EC2 Linux Instance User a Specific S3 Bucket Folder

Tuesday, July 17, 2018 by Ujjwal Bhardwaj

Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. It is a virtual machine deployed on the cloud which can be used for various computations. At the crux of it, EC2 is a Linux/windows instance on the cloud and thus can have various users log in to them and using them to perform cloud computations.

Using AWS services, we can control the access of S3 buckets for each user in a way that every user will have access to bucket prefixes specific to them and can prevent access to other parts of the bucket. It can further extend to mapping this limited access to EC2 Linux instance users as well. This facility can be achieved by following these steps.

1. Construct an IAM policy with folder-level permissions for Amazon S3 buckets.

Using AWS CLI, we can do this by adding creating a json file with the following content and then executing the aws aim create-policy command

  {
    "Version":"2012-10-17",
    "Statement": [
      {
        "Sid": "AllowGroupToSeeBucketListInTheConsole",
        "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
        "Effect": "Allow",
        "Resource": ["arn:aws:s3:::*"]
      },
      {
        "Sid": "AllowRootAndHomeListingOfCompanyBucket",
        "Action": ["s3:ListBucket"],
        "Effect": "Allow",
        "Resource": ["arn:aws:s3:::<bucket-name>"],
        "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
      },
      {
        "Sid": "AllowListingOfUserFolder",
        "Action": ["s3:ListBucket"],
        "Effect": "Allow",
        "Resource": ["arn:aws:s3:::<bucket-name>"],
        "Condition":{"StringLike":{"s3:prefix":
              [
                   "home/${aws:username}/*"
                   "home/${aws:username}"
              ]
           }
          }
      },
      {
         "Sid": "AllowAllS3ActionsInUserFolder",
         "Action":["s3:*"],
         "Effect":"Allow",
         "Resource": ["arn:aws:s3:::<bucket-name>/home/${aws:username}/*"]
      }
    ]
  }
  
  aws iam create-policy --policy-name user-specific-folders --policy-document user-specific-folders.json

2. Create new IAM Users and attach the aforementioned policy to them

Using AWS CLI we can perform this with the help of the following commands

  aws iam create-user --user-name user1
  aws iam create-access-key --user-name user1 > access-key.txt
  aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/user-specific-folders --user-name user1

3. Create EC2 instance linux users that corresponds to these IAM Users

We can perform this with the help of the following Linux commands

  sudo useradd user1   
  sudo passwd user1
  sudo su - user1

4. Switch to the newly created user and configure AWS CLI for that user

We can perform this with the help of the following commands from inside the EC2 instance

  aws configure set aws_access_key_id  <access-key>
  aws configure set aws_secret_access_key <secret-key>

Note: Get the values of access-key and secret key from the file access-key.txt created during step 2.