AWS S3: Least Privilege Access Setup
Learn how to create IAM policies with minimal permissions for secure AWS S3 bucket access with Cloney.
Overview
When connecting your AWS S3 buckets to Cloney for data migration, it's essential to follow the principle of least privilege. This guide will walk you through creating IAM credentials with only the permissions necessary for Cloney to read from or write to your S3 buckets, minimizing security risks.
Never use root account credentials or overly permissive IAM users. Always create dedicated credentials with minimal required permissions.
Prerequisites
- An AWS account with administrative access to IAM
- The name of the S3 bucket(s) you want to connect
- Knowledge of whether you need read-only (source) or write (destination) access
Step 1: Access the IAM Console
- Sign in to the AWS Management Console
- Navigate to IAM (Identity and Access Management)
- In the left sidebar, click on Policies
- Click the Create policy button
Step 2: Create a Source Bucket Policy (Read-Only)
If your S3 bucket will be used as a source for migration (data will be read from it), use this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloneySourceAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}Replace YOUR-BUCKET-NAME with your actual S3 bucket name.
Step 3: Create a Destination Bucket Policy (Write Access)
If your S3 bucket will be used as a destination for migration (data will be written to it), use this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloneyDestinationAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}Step 4: Create an IAM User
- In the IAM console, click on Users in the left sidebar
- Click Create user
- Enter a descriptive username (e.g.,
cloney-migration-user) - Click Next
- Select Attach policies directly
- Search for and select the policy you created in the previous step
- Click Next, then Create user
Step 5: Generate Access Keys
- Click on the user you just created
- Go to the Security credentials tab
- Under Access keys, click Create access key
- Select Third-party service as the use case
- Acknowledge the recommendation and click Next
- Click Create access key
- Important: Copy both the Access key ID and Secret access key. The secret key will only be shown once.
You can now use these credentials in Cloney to connect your AWS S3 bucket securely.
Permission Reference
| Permission | Purpose | Required For |
|---|---|---|
s3:GetObject | Read object data | Source |
s3:GetObjectVersion | Read versioned objects | Source |
s3:ListBucket | List bucket contents | Source & Destination |
s3:GetBucketLocation | Determine bucket region | Source & Destination |
s3:PutObject | Write object data | Destination |
s3:PutObjectAcl | Set object permissions | Destination |
s3:AbortMultipartUpload | Cancel failed uploads | Destination |
s3:ListMultipartUploadParts | Resume large uploads | Destination |
Ready to Start Your Migration?
Create your Cloney account and begin migrating your data securely today.