Amazon AWS S3 IAM Policy based on namespace or tag

Question

I have a number of buckets that start with the same namespace as in assets-<something>, so I was wondering what would be the best option to give rights to IAM group with minimal need to maintain it.

Is it possible to use any sort of regex in ARN? Or maybe I could use tags? EC2 has condition for ResourceTag, but it appears that it does not exist for S3.

Or should I with each bucket add new ARN to the policy?

Again, I am searching for the minimal solution so attaching new policy to each bucket itself seems to be a bit much.

Answer 1

An IAM policy can grant access to Amazon S3 buckets based on a wildcard.

For example, this policy grants permissions to list the contents of a bucket and retrieve an object from a bucket, but only if the bucket starts with assets-:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SomeSID",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::assets-*",
        "arn:aws:s3:::assets-*/*"
      ]
    }
  ]
}

Note that the Resource section refers to both the bucket (for ListBucket) and the content of the bucket (for GetObject).

Wildcard also work elsewhere in the bucket name, eg: arn:aws:s3:::*-record

It is not possible to grant access to Amazon S3 buckets based on Tags.

ARN format

As an aside, if you're wondering why there are so many colons in the ARN (Amazon Resource Name) for an Amazon S3 bucket, it's because the normal format for an ARN is:

arn:aws:<service name>:<region>:<account>:<resource>

In the case of an Amazon S3 bucket, the region and account can be discerned from the bucket name (which is globally unique), so those parameters are left blank.

Answer 2

Yes indeed it appears I can use IAM policy with ARN arn:aws:s3:::assets-* and arn:aws:s3:::assets-*/*