Reputation: 11
Full access to AWS S3 bucket for all operations except for 1 folder
I have a group policy that allows full access to several S3 buckets.
This policy allows read and write to the bucket.
The team that uses these buckets wants that one of the folders will be read-only for their group without the ability to write or delete its contents.
How do I provide that while still allowing them to have full access to all the other folders?
Upvotes: 1
Views: 2409
Answers (1)
Reputation: 269091
To allow access to "every folder except one", you will need to use an Allow policy and a Deny policy. This is because a Deny always overrides an Allow.
You should put the desired IAM Users into an IAM Group, then add a policy like this to the IAM Group:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*",
},
{
"Effect": "Deny",
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/read-only-path/*",
}
]
}
Be a little careful with the Allow — it is not good practice to grant s3:* to the bucket since this is probably giving them too much permission. So, trim it down to what they actually need.
Upvotes: 3
Related Questions
- How do I restrict access to a single folder in a S3 bucket?
- How to allow access to a folder in AWS s3 and deny access to all other folder?
- S3 Bucket Policy Restricting Access to Single Folder
- AWS set policy to specific S3 bucket folder
- AWS policy to allow access only to a specific bucket folder
- AWS S3 & IAM - Define policy where user have only access (read) to certain folders
- how to write a IAM policy to give full s3 access but one directory
- AWS IAM Policy: Restrict Bucket/Folder Access By User/Role?
- Grant access to only one bucket in S3
- AWS S3 Bucket Policy to block access to all but one directory, even if user has full S3 permissions