amazon-web-servicesamazon-s3aws-policies

AWS iam policy for limiting access to only special folders


I have a bucket "mybucket" in which there is a folder "myfolder". In the same bucket there is also another folder "notmyfolder".

This is the policy that I think "should" work.

{
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
             "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "myfolder",
                        "myfolder/*"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        }
    ]
}

But testing with the policy simulator trying to do GetObject on a file in myfolder gets denied.

If I change it to

{
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::pangea-configuration/myfolder/*"
            ]
        }
    ]
}

Now the simulator says I can access the file in myfolder. But it also lets me access a file in notmyfolder.

what am I missing here?


Solution

  • The policy you've shown doesn't allow any access to objects because the resource you've indicated (arn:aws:s3:::mybucket) is a bucket ARN, not an object ARN. You've allowed an object-level action against a bucket ARN, which won't do anything useful.

    The resource should be arn:aws:s3:::mybucket/myfolder/*. And you don't need any condition in the IAM policy because the default is to implicitly deny. The policy will not allow any access to objects under the notmyfolder prefix.