Creating S3 Bucket folders with different permissions

Question

I currently have a small web server for serving static files, which is setup to do the following:

• Accessing https://my.domain.com/dl/ gives a directory listing of all available files in /dl/.
• Accessing https://my.domain.com/dl/specific-file lets me download the specific resource in /dl/
• Accessing https://my.domain.com/dl2/ gives an error (currently it is a 403, but I'm not particular on what the error is
• Accessing https://my.domain.com/dl2/specfic-file lets me download the specific resource in /dl2/

So essentially, /dl/ is a repository of public files, and /dl2/ is a repository of private files. Translating this behavior to S3 does not seem to be straight forward however. Currently, my policy looks like this:

{
    "Version": "2012-10-17",
    "Id": "StaticPolicy01",
    "Statement": [
        {
            "Sid": "DLALlowPolicy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::static.spookyinternet.com/dl/*"
        }
    ]
}

However, I'm unable to find any concrete documentation on how to set this up. How can I configure an S3 bucket to behave in this same way?

Edit: Some additional information, if it is applicable: This will ultimately be sitting behind a cloudfront instance using my personal domain name.

Answer 1

It appears that your desire is:

• A dl directory that can be listed, with all files accessible
• A dl2 directory that cannot be listed, but all the files are accessible if somebody knows the name of the file

Firstly, this is a very poor security design. Just because somebody cannot list the dl2 directory does not make your files secure. Anybody that knows a filename (or that can guess a filename) would have access to the files. Security through obscurity is not very good security.

Secondly, please note that permissions are not placed on folders. Rather, a Bucket Policy (such as the one you list) can grant permissions based upon a path, which is effectively the same as granting permissions on a folder-level.

Also, please note that Amazon S3 is not a traditional web server. It is an object storage system that also provides access to objects via HTTP/S calls. So, it can't do things like "give a directory listing of all available files in /dl/". (It can supply an XML listing of all files in a bucket, but you typically don't want to do that.)

Your desire to grant access to all files in dl can be satisfied by the Bucket Policy you show above. If you also wish to grant access to all files in dl2 (which is bad from a security perspective), simply add that to the policy, eg:

"Resource": ["arn:aws:s3:::static.spookyinternet.com/dl/*", 
             "arn:aws:s3:::static.spookyinternet.com/dl2/*"]

Your desire to list files in dl cannot be met by S3. You could choose to upload a default index.htm file and serve it through static website sharing), but you would need an application to keep the list always up-to-date.

So, at a simple level, all your needs (except the ability to list dl) can be met with the Bucket Policy.

But what, you might ask, is a better way to do things? I'm glad you asked!

• Grant public access to dl
• Make a web page that lists the files and links to the files in dl
• When you want to provide private files, create an application where users have to authenticate. The application would verify their identity, determine whether they are allowed to access the files and then generate an Amazon S3 Pre-Signed URL that grants time-limited access to an object. Once the time expires, the URL no longer works. So, the files are kept private, but a special URL grants temporary access.