With EL storage, we offer you a scalable and cost effective S3-compatible cloud storage, based on Wasabi Hot Cloud Storage technology. In our helpdesk articles, we show you how to administer EL storage via the Wasabi console.
Often, multiple people access an EL storage account to store or back up data in the cloud storage. In these cases, to shield personal data from other users, you can restrict access for certain users to individual buckets or even individual folders within the buckets.
These instructions require that you already have an EL storage account and have created a bucket or folder within a bucket that you want to restrict access to. If you don't have an account yet, you can get a trial version
here.
1. Restricting access at the bucket level:
Navigate to the "Policies" tab in the left menu bar and select "CREATE POLICY."
Give your policy a name and description.
Now you need to insert the content of the policy into the policy document. There are two different options for bucket-level access:
1. The user has access to the web console and should be able to perform operations within it. However, in this case, the user will be able to see the names of all existing buckets. The policy would look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::Bucketname",
"arn:aws:s3:::Bucketname/*"
]
}
]
}
Replace "Bucket-Name" with the name of the bucket to which the user should have access.
To avoid creating a policy for each individual user in this case, you can work with the $username variable.
In this scenario, make sure that the username and the bucket name are identical in all cases.
Such a policy would look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::${aws:username}",
"arn:aws:s3:::${aws:username}/*"
]
}
]
}
2. The user cannot log in to the web console but has access via software (backup user, etc.). In this case, the policy would look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::Bucket-Name/*",
"arn:aws:s3:::Bucket-Name"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::Bucket-Name/*",
"arn:aws:s3:::Bucket-Name"
]
}
]
}
Replace "Bucket-Name" with the name of the bucket to which the user should have access to.
When using a third-party file explorer, it's possible that the user can still see the names of all buckets. In this case, an additional explicit deny policy must be assigned to the user. The policy would have the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"NotResource": [
"arn:aws:s3:::Bucket-Name/*",
"arn:aws:s3:::Bucket-Name"
]
},
{
"Effect": "Deny",
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::Bucket-Name/*",
"arn:aws:s3:::Bucket-Name"
]
}
]
}
Under "Policy Document" a green checkmark should appear after adjusting and inserting the policy, implying that the policy is correctly formulated. Finish the creation process by clicking "CREATE POLICY".
Some file explorers and backup solutions require the "s3:ListAllMyBuckets" permission to access the buckets. If this is the case, only the first policy is suitable, and it is regrettably not possible to hide the bucket names for other users.
2. Access restriction at the folder level:
Access restriction at the folder level also requires a policy for users or groups. Create a policy as described above. The content of this policy is as follows:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::Bucket-Name"],
"Condition":{"StringEquals":{"s3:prefix":["","Folder-Name/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::Bucket-Name"],
"Condition":{"StringLike":{"s3:prefix":["Folder-Name/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::Bucket-Name/Folder-Name/*"]
}
]
}
Please insert the name of the respective bucket for "Bucket-Name" and the name of the relevant folder within the bucket for "Folder-Name".
Note: You can only use folders for "Folder-Name" that exist in the bucket you specified for "Bucket-Name"!
Now you just need to assign the policy to an existing user or create a new user with this policy. You can find instructions for creating a user
here.