Amazon web services - I don't understand why this IAM policy using a StringLike condition for an S3 bucket doesn't work

BenRubin
August 24, 2023
319 views
0 votes
2 Answers

I have an S3 bucket named my.example.com, and within it I have the folder Folder1.

I’m confused about why the following policy doesn’t let me download files from Folder1.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "MyPolicy",
         "Effect": "Allow",
         "Action": "s3:Get*",
         "Resource": "arn:aws:s3:::my.example.com",
         "Condition": {
            "StringLike": {
               "s3:prefix": [
                  "Folder1/*"
               ]
            }
         }
      }
   ]
}

However, this policy does let me download files

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "MyPolicy",
         "Effect": "Allow",
         "Action": "s3:Get*",
         "Resource": "arn:aws:s3:::my.example.com/Folder1/*"
      }
   ]
}

Why doesn’t the first policy work?

Answers

- LarryL
- August 23, 2023 at 10:30 pm
- 0 votes
0
According to this page at AWS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html

The prefix key automatically matches anything after the prefix, so you shouldn’t need the asterisk. So perhaps something like:
```
"StringEquals": {
  "s3:prefix": [
    "Folder1"
  ]
}
```
Would work?
Login or Signup to reply.

- Marcin
- August 24, 2023 at 3:04 am
- 0 votes
0
Your resource:
```
"Resource": "arn:aws:s3:::my.example.com",
```
is for bucket only, not for any objects in the bucket. Thus, for your policy to apply to the objects it should be:
```
"Resource": "arn:aws:s3:::my.example.com/*",
```
Login or Signup to reply.