I have a bucket "mybucket" in which there is a folder "myfolder". In the same bucket there is also another folder "notmyfolder".
This is the policy that I think "should" work.
{
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"myfolder",
"myfolder/*"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
]
}
]
}
But testing with the policy simulator trying to do GetObject on a file in myfolder gets denied.
If I change it to
{
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::pangea-configuration/myfolder/*"
]
}
]
}
Now the simulator says I can access the file in myfolder. But it also lets me access a file in notmyfolder.
what am I missing here?
2
Answers
in the initial configuration you are omitting some permissions. Since in addition to the permissions on the prefix you must be able to list the objects inside the bucket, not just its folder.
You can check the step by step in the following link:
https://repost.aws/knowledge-center/iam-s3-user-specific-folder
Greetings
The policy you’ve shown doesn’t allow any access to objects because the resource you’ve indicated (
arn:aws:s3:::mybucket) is a bucket ARN, not an object ARN. You’ve allowed an object-level action against a bucket ARN, which won’t do anything useful.The resource should be
arn:aws:s3:::mybucket/myfolder/*. And you don’t need any condition in the IAM policy because the default is to implicitly deny. The policy will not allow any access to objects under thenotmyfolderprefix.