AWS: Limit IAM user to specific folder in S3 bucket
So I was trying to define a policy to restrict the IAM user group to a specific folder in the S3 bucket with no success. I have canceled the policy outlined in this blog post. http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
Specifically, I am using the following:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringEquals":{"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringLike":{"s3:prefix":["myfolder"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::mybucket/myfolder/*"]
}
]
}
Unfortunately, this policy for some reason allows users to navigate not only to the specified folder, but also to other folders located in the same bucket. How can I restrict users so that they can only navigate the specified folder?
source to share
I hope this documentation helps you, the steps are broken down and pretty simple:
http://docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html
You can also use policy variables.
It allows you to specify placeholders in the policy. When the policy is evaluated, the policy variables are replaced with values ββthat come from the request itself. For example -${aws:username}:
Alternatively, you can also check this question on Stackoverflow (if similar):
Prevent the user from even knowing about other users (folders) on AWS S3
source to share
I have said this before, but I will answer again from here. Your best bet is to create a user and then add it to the group and then assign the group to r / w bucket. This is a typical example of how to write a policy
{
"Statement": [
{
"Sid": "sidgoeshere",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s3bucket",
"arn:aws:s3:::s3bucket/*"
]
}
]
}
source to share