<Marc Qualie/>

Write only S3 permissions

Time and time again I've found myself needing to limit access to S3 repositories via write-only. Read-Only access is widely used for public repositories, such as CDNs. A highly common use case for write-only access is allowing users to upload new files, but not modify any that currently exist.

Here is an example of a common policy I use. It will allow read access to the entire bucket, but allow write-only access to anything within the /blog/* path. This is currently being used by at least 2 clients for uploading new files to their bucket, without being able to accidentally delete or modify any existing images.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::media.marcqualie.com"
            ]
        },
        {
            "Sid": "BaseObjectReadPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
            ],
            "Resource": [
                "arn:aws:s3:::media.marcqualie.com/*"
            ]
        },
        {
            "Sid": "BlogWritePermissions",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::media.marcqualie.com/blog/*"
            ]
        }
    ]
}

It's worth pointing out that if you apply this as a bucket policy then your bucket will open to the world. This will allow anyone to upload anything to your bucket, which could cause you legal or cost problems. A more sensible option is to add this to an IAM user, which applies these permissions only to that user when they are authenticated.

I've labelled each policy section to be pretty self explanatory, but I'm happy to help if you have any questions in the comments.

If you have any questions about this post, or anything else, you can get in touch on Bluesky or browse my code on Github.