I am trying to create a new S3 bucket policy and apply it on a new group that I have created. I am getting error message while doing so when I use the group ARN in the policy JSON. My group has one user as well.
3 Answers
Hi Shivam,
Short answer:
No, you can’t specify an IAM group as a principal
Long answer:
On the AWS Policy Generator page there’s an "a description of elements" link which in turn has an "AWS JSON policy elements: Principal" link. On there it states:
"Specifying a principal
You specify a principal using the Amazon Resource Name (ARN) or other identifier of the principal. You cannot specify IAM groups and instance profiles as principals."
Hope this helps 🙂
S3 bucket policies and IAM policies are totally different, and since bucket policies won’t work with groups you’ll need to do this via an IAM policy, as shown below:
https://docs.aws.amazon.com/IAM/latest/UserGuide/idgroupsmanage_attach-policy.html
Hope this helps 🙂
Correct, you have to create an IAM Policy first, on the service select S3 and then add the desired permissions AND specify the bucket or buckets that you want to be affected. Then you need to apply the Policy to the group.
Thanks Hotspur. That makes sense, but I do have a follow up question then – if I really have to do what I am trying to do about applying an IAM policy to a group of users, what is the way to implement that? Unfortunately, I could not find a link that can guide me to do so. Thanks.