I'm trying to restrict Users by role to access only particular folders within an S3 bucket. The bucket is configured as "mock mountable" so to speak so that we can use it for file sharing as if it were a more traditional server. Each user is using CloudBerry to access S3 remotely.
Here's my current (broken) policy, and bucket name is "bluebolt".
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanySharedAndPAndP",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Production and Processing/",
"Production and Processing/${aws:username}",
"Company Shared/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfCompanyShared",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Company Shared/*"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Production and Processing/${aws:username}/",
"Production and Processing/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsCompanyShared",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:username}/*"
]
},
{
"Sid": "DenyAllS3ActionsInManagement",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Management/*"
]
}
]
}
So, what I want to do is to restrict users to list/read/write only what is in "/Production and Processing/[UserName]", along with being able to list/read everything in "/Company Shared" while specifically prohibiting all access to "/Management" as well as everything in "/Production and Processing/*" except their user folder. Ideally a user would only see "/Company Shared" and "/Production and Processing" in bluebolt, and once they get into "/Production and Processing", they'd only see their user-named folder which is their workspace.
Right now, I am getting sporadic access by users ("You do not have permission to access") once they dig below the bluebolt top level bucket.
I don't know if this use case is common or if I'm trying to fit too-square a peg into a round hole, but any feedback/tips/similar policy applications/harsh criticism is welcome and greatly appreciated!
Here's the code I got to work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"*",
"bluebolt/Company Shared/*",
"bluebolt/Production and Processing/*",
"bluebolt/Production and Processing/${aws:userName}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:userName}/*"
]
},
{
"Sid": "AllowCertainS3ActionsInCompanyShared",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
}
]
}