Documentation

Custom IAM Policy for Amazon S3

If you’re familiar with AWS IAM policies and wish to restrict the S3 access for the AWS User who’s Access Keys are being used by WP Offload Media, here are the basic actions required for WP Offload Media to work properly.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteObject",
        "s3:Put*",
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

This policy allows the user to create buckets, delete files (not buckets), upload files, download files, and list files and buckets. This is the basic level of permissions the plugin requires to function.

Bucket Restrictions

This policy can be further tightened to restrict the user access to a specific bucket. Simply replace the “Resource” section with the following:

"Resource": [
  "arn:aws:s3:::mybucket",
  "arn:aws:s3:::mybucket/*"
]

It’s important to note that if you do restrict access like this, the plugin will give you an Access Denied error when trying to select a bucket. The user does not have permission to list all the buckets in your account. Fortunately you can simply type in the bucket name.

You can read more about IAM policies here and AWS can generate one for you here.