Restrict a user to access a single bucket using policies on Cloud Object Storage powered by Wasabi

 

Description

If you want to restrict a user from accessing sensitive data on buckets in your tenant, the access to those buckets can be blocked by creating and assigning a policy.
 

Procedure

1. Login to the Wasabi console using your credentials (using the root account or a sub-user with Administrator Access)

Graphical user interface, application, website Description automatically generated


2. Go to the Policies section and click on CREATE POLICY.

Graphical user interface, application Description automatically generated


3. Enter a policy name and a policy description
In this example, the policy name is “backup-export-access

A screenshot of a computer Description automatically generated


4. Copy the JSON code below and paste it in the Policy Editor section. Customize the code according to your needs.


 {

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "s3:ListAllMyBuckets",

      "Resource": "arn:aws:s3:::*"

    },

    {

      "Effect": "Allow",

      "Action": "s3:*",

      "Resource": [

        "arn:aws:s3:::backup-export",

         "arn:aws:s3:::backup-export/*"

      ]

    }

  ]

}

 


Then, click on CREATE POLICY.


A screen shot of a computer Description automatically generated



5. Assign the policy to desired users or groups. Please refer to the article on how to create groups and assign policies if needed.



6. Now that the policy is assigned, the access should be working as expected when trying to access a bucket from the web console that was not mentioned in the policy.

A screenshot of a computer Description automatically generated



Note: if an access key is assigned to a user, the policy will also apply using the S3 protocol.


Example below with WinSCP: