Certified Security - Specialty

Sign Up Free or Log In to participate!

Can I create an S3 Bucket policy for an IAM group?

I am trying to create a new S3 bucket policy and apply it on a new group that I have created.  I am getting error message while doing so when I use the group ARN in the policy JSON. My group has one user as well.

3 Answers

Hi Shivam,

Short answer:

No, you can’t specify an IAM group as a principal

Long answer:

On the AWS Policy Generator page there’s an "a description of elements" link which in turn has an "AWS JSON policy elements: Principal" link. On there it states:

"Specifying a principal

You specify a principal using the Amazon Resource Name (ARN) or other identifier of the principal. You cannot specify IAM groups and instance profiles as principals."

Hope this helps 🙂

Shivam Mathur

Thanks Hotspur. That makes sense, but I do have a follow up question then – if I really have to do what I am trying to do about applying an IAM policy to a group of users, what is the way to implement that? Unfortunately, I could not find a link that can guide me to do so. Thanks.

S3 bucket policies and IAM policies are totally different, and since bucket policies won’t work with groups you’ll need to do this via an IAM policy, as shown below:


Hope this helps 🙂

Correct, you have to create an IAM Policy first, on the service select S3 and then add the desired permissions AND specify the bucket or buckets that you want to be affected. Then you need to apply the Policy to the group.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?