IAM AWS S3 to restrict to a specific sub-folder
Here's a policy that will work for you:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/toto3/*"
]
},
{
"Sid": "Stmt1457617230000",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"toto3/"
]
}
},
"Resource": [
"arn:aws:s3:::mybucket*"
]
}
]
}
Details:
ListAllMyBucketsis required by the Console. It shows a list of all buckets.- Any action permitted within the
toto3/path. ListBucket(retrieve objects list) permitted in the root of the bucket and in thetoto3/path.
I successfully tested this solution.
AWS Documentation Reference: Allow Users to Access a Personal "Home Directory" in Amazon S3
I edit your code to have the following and it works ! THanks !!
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket/toto3/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"toto3/",
"toto3*"
]
}
}
}
]
}