Restricting AWS permissions

Learn how to lock down permissions so that Paperplane can only access certain S3 buckets.

In the quickstart guide, we recommended adding the "AmazonS3FullAccess" policy to your AWS user as a way of getting started quickly.

However, it's a good practice to be more restrictive in the permissions you grant to Paperplane. You can do this by using a custom policy.

This is an example of a custom policy which restricts access to one S3 bucket, giving Paperplane the minimum set of required permissions:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PaperplanePermissions",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::myapp-bucket-name/*"
]
}
]
}

Remember to change myapp-bucket-name to the name of your S3 bucket.

You can grant access to multiple buckets by adding more entries to the "Resource" array in the policy.

To create the custom policy, go to "Policies" within the IAM section of the AWS dashboard. Click "Create Policy" and paste the example policy above into the editor in the "JSON" tab. Alternatively you can use the visual policy builder.

Once the policy is saved, edit the Paperplane AWS user to associate it with the policy, either directly or via a group.