Alan Kis
Reputation: 1910
Specifying multiple folders in AWS S3 IAM policy
I guess that my question is pretty straightforward. Let's say that I have following S3 bucket structure.
- root_folder_bucket
- subfolder1
- subfolder2
- subfolder3
- somefolder
The naive approach to restrict access only, for example, subfolder1, subfolder2, and subfolder3 would be like bellow. In fact, AWS wouldn't throw an error, but such policy will not work. Is there any elegant way to write the Resource policy like bellow or I should stick to the prefixes, conditions, and delimiter?
"arn:aws:s3:::root_folder_bucket/[subfolder1, subfolder2]/*",
Upvotes: 1
Views: 1521
Answers (1)
Ashan
Reputation: 19738
Instead of defining the subfolders in a single ARN (Which won't work), you can either add multiple statements to the policy life shown below,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder2"]
}
]
}
Or add multiple ARNs to the Resource block,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1",
"arn:aws:s3:::root_folder_bucket/subfolder2"]
}
]
}
Upvotes: 4
Related Questions
- IAM AWS S3 to restrict to a specific sub-folder
- Can't add multiple bucket policies to S3 bucket
- AWS set policy to specific S3 bucket folder
- AWS policy to allow access only to a specific bucket folder
- AWS S3 & IAM - Define policy where user have only access (read) to certain folders
- how to write a IAM policy to give full s3 access but one directory
- Creating IAM policy to list and access single bucket
- AWS IAM policy for more than one bucket
- AWS S3 IAM policy multiple buckets
- IAM Policy to list specific folders inside a S3 bucket for an user