Simple IAM User, Group, and Bucket Policy for File Uploads

Recently I wanted to set up an AWS S3 bucket to conduct some tests with Transloadit.com. Amazon has beefed up the default security of S3 buckets in recent years and introduced new ways to define policies which I hadn’t used before so I felt a bit lost in the woods.

Since I kept running into an issue where S3 refused access to Transloadit to upload an image I wanted to document what works in the end. Let’s start by saying that I don’t know if I found the best combination of settings.

Step 1 - Create an IAM group with no other settings but this policy:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::BUCKETNAME/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::BUCKETNAME"
        }
    ]
}

Step 2 – Create a basic IAM user and add it to the group. The user’s Access Key ID and Secret Access Key are used by Transloadit.

Step 3 – Disable 1 of the 4 bucket’s public access settings which are enabled by default. The setting I disabled is called “Block new public ACLs and uploading public objects”. I am not sure why I must untick this box since Transloadit does not attempt to store a public object.

Using these settings Transloadit is able to access the bucket and upload files using non-public access by default.