AWS policy to allow access only to a specific bucket folder

Question

I am trying to create an IAM policy to allow a user access only to a specific folder in an S3 bucket. How do I do this using visual policy editor? In the resource section if I mention the arn for the folder, the user is being denied access to the whole bucket.

Answer 1

Here is a policy that grants access to a specific folder within a bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket"],
      "Condition": {"StringLike": {"s3:prefix": ["folder1/*"]}}
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket/folder1/*"]
    }
  ]
}

Things to note:

• The ListBucket operation that allows listing a bucket is a permission on the bucket itself (not a path). To restrict which folders they can list, the folder must be specified via the s3:prefix.
• The GetObject and PutObject operations operate on objects, so the folder can be referenced in the ARN.

It is also possible to use IAM Policy Elements: Variables and Tags to refer to a username. This policy can be applied to an IAM Group and will allow each user access to a folder with their own name:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket"],
      "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
    }
  ]
}