We can grant READ for any AWS user using the AuthenticatedUser predefined group by performing the following steps:
- If you followed along with the previous section, remove the List objects permission for the bucket that was granted to Everyone.
- Create a policy that grants access to the AuthenticatedUsers group and save it as acl-grant-authenticated-users.json:
{
"Owner": {
"DisplayName": "awsseccookbook",
"ID": "5df5b6014ae606808dcb64208aa09e4f19931b3123456e152c4dfa52d38bf8fd"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "READ"
}
]
}
Here, the Owner element has the current account's display name and canonical ID. The Grants element grants the READ permission to the AuthenticatedUsers group.
- Execute the put-bucket-acl command by providing the preceding policy document:
aws s3api put-bucket-acl
--bucket awsseccookbook
--access-control-policy file://resources/acl-grant-authenticated-users.json
--profile awssecadmin
- The testuser user should now be able to list the contents of the S3 bucket. However, we won't be able to list the bucket contents from the browser.