Restrict access to a single folder in S3 bucket
12,386
This restrictive IAM policy grants only list and upload access to a particular prefix in a particular bucket. It also intends to allow multipart uploads.
References:
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
- https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"StringLike": {
"s3:prefix": "my/prefix/is/this/*"
}
}
},
{
"Sid": "UploadObject",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::mybucket/my/prefix/is/this/*",
]
}
]
}
Note that specifying the s3:ListBucket resource compactly as "arn:aws:s3:::mybucket/my/prefix/is/this/*" didn't work.
Author by
Cloudy
Updated on June 27, 2022Comments
-
Cloudy almost 2 years
I want to restrict the access to a single folder in S3 bucket.
I have written a IAM role for the same. Somehow I am not upload/sync the files to this folder. Here, bucket is the bucket name and folder is the folder where I want to give access.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "AllowRootAndHomeListingOfBucket", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket" ], "Condition": { "StringEquals": { "s3:prefix": [ "" ], "s3:delimiter": [ "/" ] } } }, { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:HeadObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket" ], "Condition": { "StringLike": { "s3:prefix": [ "folder/*" ] } } } ] }Please suggest where I am wrong.