It took me a while to figure this out. Googling helped, but the answers are not obvious. So, you have IAM user and you want to grant that user complete read-write access to some bucket. Catch is that you need two statements to achieve this. Here is full bucket policy (just replace “YourIAMUser” and “YourBucketName” in the policy below):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::821707826313:user/YourIAMUser"
            },
            "Resource": [
                "arn:aws:s3:::YourBucketName"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::821707826313:user/YourIAMUser"
            },
            "Resource": [
                "arn:aws:s3:::YourBucketName/*"
            ]
        }
    ]
}

So, explanation now – as I already mentioned, notice that we have two separate statements (lines 3-14 and 15-28).

• First one allow IAM user to “list buckets” (line 6) and resource given here is just plain ARN to the bucket (line 12)
• Second statement gives that IAM user permissions on objects in bucket (lines 18-20), but resource given here is path to your bucket plus “/*” (line 26). This is the key thing I was missing when trying to create policy using AWS policy tool.

Hope this helps you!