Creating an AWS IAM User Policy for Press3

When setting up Press3 to store your static WordPress assets on your own Amazon S3 bucket, you'll need to provide credentials for a user who has access to the S3 bucket. For maximum security, this user should only have access to what they need to.

In this article, we'll show you how to create an IAM policy for your user that has access to only the bucket that's going to be used.

Note: This article assumes that you've already created an S3 bucket for use with Press3. If you haven't yet done so, take a look at our article on creating Amazon S3 buckets.

1. Start by logging into the IAM section of your AWS console.
2. On the left side menu, click on Policies to access your IAM policies.
   
   
3. To create a new policy, click on the Create Policy button at the top of the page.
   
   
4. When creating policies, you can either use the visual editor or configure your policy using JSON. For this article, we’ll be using JSON. Simply click on the JSON tab to access the JSON editor.
   
   
5. Within the JSON editor, enter the following policy, replacing BUCKET_NAME with the name of your S3 bucket and VPS_IP with your VPS IP.
   
   You can determine your VPS IP by going into Atomic, navigating to Apps and selecting one of your apps, then clicking the "Show More" button to see "External IP".
   

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "AllowObject0",
         "Effect": "Allow",
         "Action": [
           "s3:PutObject",
           "s3:GetObject"
         ],
         "Resource": "arn:aws:s3:::REPLACE_WITH_YOUR_BUCKET_NAME/*",
         "Condition": {
           "IpAddress": {
             "aws:SourceIp": "REPLACE_WITH_VPS_IP/32"
           }
         }
       },
       {
         "Sid": "AllowBucket0",
         "Effect": "Allow",
         "Action": "s3:ListBucket",
         "Resource": "arn:aws:s3:::REPLACE_WITH_YOUR_BUCKET_NAME",
         "Condition": {
           "IpAddress": {
             "aws:SourceIp": "REPLACE_WITH_VPS_IP/32"
           }
         }
       }
     ]
   }
   

   This policy will ensure that the user has permissions to access and make changes to items inside the bucket, but can’t do anything else, including access other S3 buckets that may exist on your account.
   
   

   Once the bucket policy is in place, click on Review Policy.

6. Finally, create a name and optional description for your policy, then click on Create Policy to create the new policy.
   
   

That's it! Your policy is now created! From here, you can easily create a new IAM user that uses this policy for accessing your S3 bucket with Press3.