I have a bucket "mybucket" in which there is a folder "myfolder". In the same bucket there is also another folder "notmyfolder".
This is the policy that I think "should" work.
{
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"myfolder",
"myfolder/*"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
]
}
]
}
But testing with the policy simulator trying to do GetObject on a file in myfolder gets denied.
If I change it to
{
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::pangea-configuration/myfolder/*"
]
}
]
}
Now the simulator says I can access the file in myfolder. But it also lets me access a file in notmyfolder.
what am I missing here?
The policy you've shown doesn't allow any access to objects because the resource you've indicated (arn:aws:s3:::mybucket
) is a bucket ARN, not an object ARN. You've allowed an object-level action against a bucket ARN, which won't do anything useful.
The resource should be arn:aws:s3:::mybucket/myfolder/*
. And you don't need any condition in the IAM policy because the default is to implicitly deny. The policy will not allow any access to objects under the notmyfolder
prefix.