Mobile phones can upload their content to our s3 bucket under an IAM user correctly using the below bucket policy
{
"Version": "2008-10-17",
"Id": "redacted",
"Statement": [
{
"Sid": "redacted",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::redacted:user/iam_user"
},
"Action": "s3:ListBucketMultipartUploads",
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Sid": "redacted",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::202695660434:user/iam_user"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket_name/uploads/*"
}
]
}
I would like to follow best practises and allow federated users to upload from mobile to this bucket. How would I adjust the policy? I can currently create the federated user creds, but cant get it to upload correctly. This policy failed to save
{
"Version": "2008-10-17",
"Id": "redacted",
"Statement": [
{
"Action": [
"sts:GetFederationToken"
],
"Sid": "redacted",
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "redacted",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::redacted:user/iam_user"
},
"Action": "s3:ListBucketMultipartUploads",
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Sid": "redacted",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::202695660434:user/iam_user"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket_name/uploads/*"
}
]
}
I am having the same situation; Where I need some users to upload files at a particular bucket and some users to be download data from some buckets;
I am planning to have a lambda function which will request access on behalf of the user to read/write from specific buckets and provide the files to them locally. I am not sure if this is one of the best practices;
I will provide security around how the lambda function will be called.