How to create public policies for specific nested folders in S3 bucket?

Question

I have an S3 bucket and inside it I have some folders but the objects inside folders are going to be created dynamically so in simple terms I can say it like this:

main_users/someIDNumber/uploaded

someIDNumber is dynamic and it is different every time a user is created. Now I want to give GetObject permission to all objects inside "uploaded" folder just for all users to a specific refer which is my website.

I have tried this in my bucket policies but it doesn't work:

arn:aws:s3:::mybucketname/main_users/*/uploaded/*

also this:

arn:aws:s3:::mybucketname/main_users/*/uploaded

But I get access denied on my website side.

How can I do it?

Answer 1

It worked for me. I did the following:

• Uploaded a file to: s3://my-bucket/main_users/42/uploaded/foo.txt
• Created a stack IAM user with the policy shown below
• Ran aws s3 cp s3://my-bucket/main_users/42/uploaded/foo.txt . --profile stack
• The file copied successfully

The policy was:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/main_users/*/uploaded/*"
        }
    ]
}

It failed when I tried to copy a file with:

aws s3 cp s3://my-bucket/main_users/24/something/foo.txt . --profile stack

Please note that if you are trying to list (ls) a folder, you will need a different policy. The above was a test of GetObject, not of listing a bucket.

While I put these policies on a specific IAM user, it should work the same in a Bucket Policy. Just make sure that you have edited S3 Block Public Access to enable the content of the bucket to be publicly accessible.