IAM Policy for Full S3 Access to a Single Bucket
Create an IAM policy granting full read/write access to a specific S3 bucket while preventing access to all other buckets in the account.
Detailed Explanation
Full S3 Access — Scoped to One Bucket
When an application needs to upload, download, delete, and list objects in a specific bucket, you need a policy that grants broad S3 permissions but only for that single bucket. This is much safer than granting s3:* on all resources.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullBucketAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::my-app-bucket",
"arn:aws:s3:::my-app-bucket/*"
]
}
]
}
Multipart Upload Actions
For large file uploads (typically over 100 MB), the AWS SDK automatically uses multipart uploads. Without the ListMultipartUploadParts, ListBucketMultipartUploads, and AbortMultipartUpload actions, large uploads will fail or leave incomplete parts consuming storage.
What This Does NOT Include
- Bucket management actions like
CreateBucket,DeleteBucket,PutBucketPolicy, orPutBucketEncryption— these are typically reserved for infrastructure administrators. - Cross-account access — for that you also need a bucket policy on the target bucket.
- ACL operations —
PutBucketAclandPutObjectAclare intentionally excluded; use bucket policies instead for access control.
Use Case
Application backends that need to read and write user uploads, process files, and manage object lifecycle in a dedicated S3 bucket. Common for content management systems, file processing pipelines, and data ingestion services.