AWS S3 Policy to Restrict User to List Only Certain Folders in a Bucket
Question
I'm having difficulty creating an AWS S3 policy to allow a customer to list and access only certain objects with extensions in specific folders and subfolders, while not being able to list or access other folders, subfolders, or objects.
Let's say we have this structure:
S3
.
├── BucketManagement
| └── Accounting
|
├── BucketHR
| ├── Insurance
| └── Resume
|
└── BucketCustomers
├── custAcmeAnvils
├── custBoboBakery
| ├── projCakewalk
| | ├── batter.txt
| | ├── cupcake.txt
| | ├── PROFIT.XLS
| | └── cooktime.txt
| ├── projPieFace
| └── projFlourPower
| ├── dough.txt
| └── LAWSUITS.DOC
└── custCocoCabana
I've created an IAM user for my customer "Bobo's Bakery". I want to allow my customer Mr. Bobo to see and access only certain folders, subfolders, and objects (files). I don't want Mr. Bobo to see or access any other buckets, folders, subfolders, or objects.
In this example, I only want Mr. Bobo to be able to list and download the objects with the ".txt" extension in certain subfolders and not see, list, or access any other folders, subfolders, or objects with other extensions.
Ideally, when Mr. Bobo logs in to the S3 console, he sees ONLY this bucket (I know this may not be possible, as all buckets will have to be visible):
BucketCustomers
Then when Mr. Bobo clicks that bucket, he sees ONLY this folder "custBoboBakery":
BucketCustomers
└── custBoboBakery
Then when Mr. Bobo clicks that folder, he sees ONLY these 2 subfolders "projCakeWalk" and "projFlourPower":
custoBoboBakery
├── projCakeWalk
└── projFlourPower
Note: I do not want Mr. Bobo to see the subfolder projPieFace. Then when Mr. Bobo clicks either subfolder projCakewalk or projFlourPower, he sees ONLY objects with the ".txt" extension.
projCakewalk
├── batter.txt
├── cupcake.txt
└── cooktime.txt
projFlourPower
└── dough.txt
Mr. Bobo should not be able to see the objects with ".XLS" or ".DOC" extensions. He can then download those.txt files. Mr. Bobo should not have delete or upload permissions.
Can you advise how to write this policy?
1 answers
solution1
1 2020-05-17 06:05:11
S3 is a flat file system object storage. This means all the files and folders you access are eventually flat names.
For instance your folder path projCakewalk->batter.txt has the name projCakewalk/batter.txt for your file. This means if you want to access this specific file, you need to use the complete name(path).
To restrict access to specific folders and paths, S3 provides ability to create bucket policies as well as IAM policies - Structurally they both are similar. To serve your purpose, you could refer to this link
A sample policy from the page is put down below
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringEquals":{"s3:prefix":["","home/", "home/David"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::my-company/home/David/*"]
}
]
}
In the above policy, with the first part, you allow access to list all buckets(you do not need this) with the second part, it allows access to list specific subfolders for my-company bucket with the third part, it allow access to only specific file name pattern (you can use similar condition for restricting access to specific files - Just remove asterisk)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.