I'm working on a site that is probably destined for AWS hosting. This leads to a question about access rights to stuff that would be stored in S3 buckets:
- I set up an EC2 server for the site, and an S3 bucket to hold some of the site's stuff.
- Alice and Bob create accounts on my site.
- Alice and Bob both upload files that end up in the bucket.
- Alice should be able to see her file but not Bob's, and vice versa.
- Anonymous users of the site should be able to see neither file.
Is this possible with S3? My impression is that this is what AWS IAM is for; is this correct? I'm slowly getting past my AWS newbie-ism, but I'm not quite there yet — thanks!
Best Answer
Yes, this is possible. Here is the design pattern that you'll want to implement. The short version: You'll create an IAM user account for each Alice and Bob. They get their own AWS access keys that will be used to access the S3 bucket. You'll then apply a S3 policy to the bucket in question.
Where most people get confused is that "IAM policies" and "S3 bucket policies" are two, different things and both need to be set up.