How to create a Home directory for your organization | IAM — AWS

Step by step guide to provide private cloud space on S3 for all the users in your organization. Each user will only able to view and create files in his directory space

Following is the video version of this tutorial


Identity and Access Management (IAM) is the cornerstone of security in AWS. In IAM, permissions are defined in terms of policies. Policy is a JSON document that is comprised of following key attributes.

  • Effect — Indicates whether the policy Allow or Deny access to the resource
  • Principal —  Indicates the account, user, role, or federated user to which you would like to allow or deny access.
  • Action —  Include a list of actions that the policy allows or denies.
  • Resource —  Specify a list of resources to which the actions apply.
  • Condition —  This is an optional attribute that evaluates a given condition before the policy is applied

Today, I’m going to explain how to create a HOME directory on S3 where users can upload/read/delete their own files available in the folders named after their AWS username. A user can only interact with the items on his folder. He cannot access anyone else’s home folder.


Steps

Let’s create a user in IAM. I am logged into the AWS console as an administrator with all the privileges.


Give him a username and password to login to the AWS console. Make sure AWS Management Console Access is ticked off.


Do not add him to a group just yet. Click Review button. Then select Create User from the next screen. You should see the warning that the user doesn’t have any permission.

Once the user is created, select him from the IAM page and click Add Permission from the Permission tab.

From the next screen select Attach existing policies directly and select create policy. It will open the policy editor window.

Now it’s time to use policy editor and create a policy for any IAM user to access S3 and allow to upload/read/delete items only from the corresponding user folder. You can either use visual editor or JSON editor. I’m going to use JSON editor to add a list of permission statements to the user.

Allowing all users to list all S3 buckets in S3

The first permission we need to add inside the Statement array is to allow users to list all the S3 buckets in S3. So users will be able to see all the buckets when he logs into S3.

Okay, now select JSON tab from the window.

Let’s allow S3:ListAllMyBuckets API call for all the S3 resources as shown below.


            {
              "Version": "2012–10–17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "s3:ListAllMyBuckets",
                  "Resource": "arn:aws:s3:::*"
                }
              ]
           }
          

Additionally, We need to allow dependent s3:GetBucketLocation API call as well.


              {
                "Version": "2012–10–17",
                "Statement": [
                  {
                    "Effect": "Allow",
                    "Action": "s3:ListAllMyBuckets",
                    "Resource": "arn:aws:s3:::*"
                  },
                  {
                    "Effect": "Allow",
                    "Action": "s3:GetBucketLocation",
                    "Resource": "arn:aws:s3:::*"
                  }
               ]
             }
            

At this point an IAM user can log into S3 and view all the bucket in it. But he cannot still view the content of any of it. Now let’s create the Home folder in a S3 bucket.

I created a bucket called "my-organization" in S3 without adding any configuration during the create wizard. (You need to choose a unique name for the bucket)

Within my-organization I created Home folder. Inside Home folder I created two folders for mike and andrew.

Let’s upload couple of files into these two folders to test later.

Okay, now it’s time to add more permission statements to the policy we have been creating.

Allowing an IAM user to view Home folder

Let’s add the third statement to the policy. For an IAM user, we are going to allow the s3:ListBucket to the S3 bucket we created (i.e. my-organization). In addition to that let’s add a condition to allow the user to access Home folder inside my-organization bucket separated by "/" delimiter.


                {
                  "Effect": "Allow",
                  "Action": "s3:ListBucket",
                  "Resource": "arn:aws:s3:::my-organization",
                  "Condition": {
                      "StringEquals": {
                         "s3:prefix": [ "", "Home/"],
                         "s3:delimiter": ["/"]
                       }
                    }
                }
               
              

Okay. Now our IAM user can access the Home folder inside my-organization.

Here is the full policy so far.


                {
                  "Version": "2012–10–17",
                  "Statement": [
                    {
                      "Effect": "Allow",
                      "Action": "s3:ListAllMyBuckets",
                      "Resource": "arn:aws:s3:::*"
                    },
                    {
                      "Effect": "Allow",
                      "Action": "s3:GetBucketLocation",
                      "Resource": "arn:aws:s3:::*"
                    },
                   {
                      "Effect": "Allow",
                      "Action": "s3:ListBucket",
                      "Resource": "arn:aws:s3:::my-organization",
                      "Condition": {
                          "StringEquals": {
                               "s3:prefix": [ "", "Home/"],
                               "s3:delimiter": ["/"]
                             }
                        }
                    }
                 ]
               }
               
              

Allowing the user to view his folder inside the home folder

Now we need to allow the IAM user to access his folder. At this moment he can only access the Home folder. In order to add this permission last statement is appended to the policy.


                  {
                    "Version": "2012–10–17",
                    "Statement": [
                      {
                        "Effect": "Allow",
                        "Action": "s3:ListAllMyBuckets",
                        "Resource": "arn:aws:s3:::*"
                      },
                      {
                        "Effect": "Allow",
                        "Action": "s3:GetBucketLocation",
                        "Resource": "arn:aws:s3:::*"
                      },
                     {
                        "Effect": "Allow",
                        "Action": "s3:ListBucket",
                        "Resource": "arn:aws:s3:::my-organization",
                        "Condition": {
                            "StringEquals": {
                                 "s3:prefix": [ "", "Home/"],
                                 "s3:delimiter": ["/"]
                               }
                          }
                      },
                      {
                         "Effect": "Allow",
                         "Action": "s3:ListBucket",
                         "Resource": "arn:aws:s3:::my-organization",
                         "Condition": {
                             "StringLike": {
                                 "s3:prefix": [ "Home/${aws:username}/*"]
                               }
                           }
                       }
                    ]
                 }
                 
                

As you read the last statement of the policy, you can notice that we allow the same s3:ListBucket API again. However the condition is different. Earlier it was "StringEquals" but now it’s "StringLike". Since we need to allow the user to read/list all the files and subfolders within his directory, we should use StringLike condition.

Allowing the IAM user to do anything within his folder (Create/Update/Delete)

So far, our IAM user can list/read within his directory. In order to allow him to create/Delete/Update items we need to append the final statement to the policy.

              {
                "Version": "2012–10–17",
                "Statement": [
                  {
                    "Effect": "Allow",
                    "Action": "s3:ListAllMyBuckets",
                    "Resource": "arn:aws:s3:::*"
                  },
                  {
                    "Effect": "Allow",
                    "Action": "s3:GetBucketLocation",
                    "Resource": "arn:aws:s3:::*"
                  },
                 {
                    "Effect": "Allow",
                    "Action": "s3:ListBucket",
                    "Resource": "arn:aws:s3:::my-organization",
                    "Condition": {
                        "StringEquals": {
                             "s3:prefix": [ "", "Home/"],
                             "s3:delimiter": ["/"]
                           }
                      }
                  },
                  {
                     "Effect": "Allow",
                     "Action": "s3:ListBucket",
                     "Resource": "arn:aws:s3:::my-organization",
                     "Condition": {
                         "StringLike": {
                             "s3:prefix": [ "Home/${aws:username}/*"]
                           }
                       }
                   },
                   {
                       "Effect": "Allow",
                       "Action": [ "s3:*"],
                       "Resource": [
                           "arn:aws:s3:::my-organization/Home/${aws:username}",
                           "arn:aws:s3:::my-organization/Home/${aws:username}/*"
                       ]
                   }
               ]
             }
          

By using the wildcard as the action value i.e. s3:* we can grant all the s3 actions to the IAM user within his bucket.

Okay. Let’s click Review. Give a name (i.e HomeDirectoryAccess) for the policy and click Create Policy.

Assigning the policy to an IAM user

Now that we have the policy ready, let’s add it to mike. Select mike from the IAM users section. Click Add permission.

Select Attach existing policies directly and choose Customer managed policy from the filter dropdown.

From the policy list, select the policy you created above. (E.g. HomeDirectoryAccess)



Testing the policy enforcement on Mike

Now let’s logout from Admin account and log back in as the user mike. Afterwards goto S3 and select the bucket you created. Go inside the Home folder.

You should see both the user folders for mike and andrew.

Let’s try to access andrew’s folder.

You will see the error message of Access Denied. This is exactly what we wanted. So mike cannot access other user folders.

Let’s access mike’s folder.

As you can see, he can access his folder without any issue. In fact he can create, update and delete files as he wish.

Mission Accomplished. We successfully created a Home directory where IAM users can only access their own folders. Additionally, You can setup a third party tool for the users to access S3 other than from login to AWS console.

This marks the end of this blogpost.

Cheers!