Our Linux machines use a S3 bucket to backup some files every night.
The machines only need write access (PutObject) to a single bucket on S3.
AWS Identity and Access Management (IAM) allows to define this permission on a single bucket. However to configure s3cmd correctly and run a successful test there is a little trick, otherwise the final configuration test of s3cmd shows this error:
ERROR: Test failed: 403 (AccessDenied): Access Denied
s3cmd needs the ListAllMyBuckets permission.
Here is the policy document that worked.
{
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybackupbucket",
"arn:aws:s3:::mybackupbucket/*"
]
}
]
}Important: Make sure you replace the mybackupbucket with your own bucket name.