AWS user-collaborator

Overview

Below are IAM policy templates based on extent of permissions given to the user on the collaborator's side. Some example use cases would be:

Providing a collaborator with access to exisiting data held in an S3 bucket to support transfer of data from you to them (one-way download)

Use the 'Download only' template

Providing a collaborator with access to an S3 bucket to support transfer of data from them to you as part of an ongoing project (upload and download)

Use the 'Upload/Download' template

Templates

Download onlyUpload/Download

This template is designed for creating an IAM policy to attach to an AWS new user account that allows specific collaborators access to download files (read-only) from certain S3 buckets.

First, copy this JSON script as the template that will be modified.

Download only template
{ 
  "Version": "2012-10-17", 
  "Id": "collaborator-username-download",
  "Statement": [ 
    { 
      "Sid": "AllowListBucketInSpecificPrefixes", 
      "Effect": "Allow", 
      "Action": ["s3:ListBucket"], 
      "Resource": "arn:aws:s3:::my-data-bucket", 
      "Condition": { 
        "StringLike": { 
          "s3:prefix": [ 
            "exports/researchA/", 
            "exports/researchB/subset/"
          ] 
        } 
      } 
    }, 
    { 
      "Sid": "AllowGetObjectsInSpecificPrefixes", 
      "Effect": "Allow", 
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ], 
      "Resource": [ 
        "arn:aws:s3:::my-data-bucket/exports/researchA/*", 
        "arn:aws:s3:::my-data-bucket/exports/researchB/subset/*"
      ] 
    }, 
    { 
      "Sid": "ExplicitDenyWriteOrDelete", 
      "Effect": "Deny", 
      "Action": [ 
        "s3:PutObject", 
        "s3:DeleteObject", 
        "s3:DeleteObjectVersion", 
        "s3:AbortMultipartUpload", 
        "s3:PutObjectAcl", 
        "s3:RestoreObject" 
      ], 
      "Resource": "arn:aws:s3:::my-data-bucket/exports/" 
    }
  ] 
}

Next, modify the template to use the specific bucket name and prefixes as needed for the collaboration.

Line 9
      "Action": ["s3:ListBucket"], 
      "Resource": "arn:aws:s3:::my-data-bucket", # Change here
      "Condition": { 

Lines 13 & 14
      "s3:prefix": [ 
        "exports/researchA/", # Change / Add Here
        "exports/researchB/subset/" # Change / Add here
      ] 

Lines 27 & 28
      "Resource": [ 
        "arn:aws:s3:::my-data-bucket/exports/researchA/*", # Change / Add here
        "arn:aws:s3:::my-data-bucket/exports/researchB/subset/*" # Change / Add here
      ] 

Line 42
      ], 
      "Resource": "arn:aws:s3:::my-data-bucket/exports/" # Change here
    }

Last, give the policy a specific ID for this collaboration. The policy will be removed after the collaboration ends or as needed.

Line 3
{ 
  "Version": "2012-10-17",
  "Id": "collaborator-username-download", # Change here
  "Statement": [

This template is designed for creating an IAM policy to attach to an AWS new user account that allows specific collaborators access to upload and download files (read-write-delete) from certain S3 buckets.

First, copy this JSON script as the template that will be modified.

Upload/Download template
{ 
  "Version": "2012-10-17", 
  "Id": "collaborator-username-readwrite", 
  "Statement": [ 
    { 
      "Sid": "AllowListBucketInSpecificPrefixes", 
      "Effect": "Allow", 
      "Action": ["s3:ListBucket"], 
      "Resource": "arn:aws:s3:::my-data-bucket", 
      "Condition": { 
        "StringLike": { 
          "s3:prefix": [ 
            "exports/researchA/",
            "exports/researchB/subset/" 
          ] 
        } 
      } 
    }, 
    { 
      "Sid": "AllowReadWriteObjectsInSpecificPrefixes", 
      "Effect": "Allow", 
      "Action": [ 
        "s3:GetObject", 
        "s3:GetObjectVersion", 
        "s3:PutObject" 
      ],    
      "Resource": [ 
        "arn:aws:s3:::my-data-bucket/exports/researchA/*", 
        "arn:aws:s3:::my-data-bucket/exports/researchB/subset/*" 
      ] 
    }, 
    { 
      "Sid": "OptionalAllowDeleteInSpecificPrefixes", 
      "Effect": "Allow", 
      "Action": [ 
        "s3:DeleteObject", 
        "s3:DeleteObjectVersion", 
        "s3:AbortMultipartUpload" 
      ], 
      "Resource": [ 
        "arn:aws:s3:::my-data-bucket/exports/researchA/*", 
        "arn:aws:s3:::my-data-bucket/exports/researchB/subset/*" 
      ] 
    } 
  ] 
}

Next, modify the template to use the specific bucket name and prefixes as needed for the collaboration.

Line 9
      "Action": ["s3:ListBucket"], 
      "Resource": "arn:aws:s3:::my-data-bucket", # Change here
      "Condition": { 

Lines 13 & 14
      "s3:prefix": [ 
        "exports/researchA/", # Change / Add Here
        "exports/researchB/subset/" # Change / Add here
      ] 

Lines 28 & 29
      "Resource": [ 
        "arn:aws:s3:::my-data-bucket/exports/researchA/*", # Change / Add here
        "arn:aws:s3:::my-data-bucket/exports/researchB/subset/*" # Change / Add here
      ] 

Lines 41 & 42
      "Resource": [ 
        "arn:aws:s3:::my-data-bucket/exports/researchA/*", # Change / Add here
        "arn:aws:s3:::my-data-bucket/exports/researchB/subset/*" # Change / Add here
      ] 

Now the rest of the process is completed within the AWS Console using the steps below.

Create the IAM policy:

IAM console > Policies > Create policy > JSON

Paste the JSON above with your values > Create policy.

Create a group and attach the policy:

IAM console > User groups > Create group (e.g., ExternalS3ReadOnly)

Attach the S3ReadOnlySpecificPrefixes policy to the group.

Create the IAM user and add to the group:

IAM console > Users > Create user

Add the user to ExternalS3ReadOnly

Create Access Key with CLI programmatic access

Save the Access Key ID and Secret Access Key and share securely.