AWS S3 — Folder restrictions using pattern

AWS Policy allows to restrict the permissions to an S3 resource(s) using pattern. The most often requirement is to restrict a specific users to list hierarchy of folder(s) and read/write/delete actions to certain folders.

Since, S3 is not a conventional file system, every object path is a referenced as S3 prefix. To restrict the users permissions, the AWS policy must include conditions to match the prefix or resource pattern of the objects.

Let’s solve some specific use cases and derive at the policy and attach it to IAM User.

In the above policy, the user attached to policy will have access to list the bucket objects matching the pattern dev/*. The condition of StringLike is only applicable for list operations and not for read, write or delete.

The policy is updated to allow list all the objects under dev folder recursively but also to Read, Write and Delete the objects only under the inbound folder matching the pattern. If the user tries to perform any operation on the parent folder not matching the pattern will be denied.

In the policy (dev) is replaced with the aws username. Users with same name as the S3 folders can be created and mapped using the ${aws:username} parameter. This will allow to manage the folder restrictions dynamically.

Additional Resources:

Decisive and multi-faceted IT professional with 12 years of experience delivering data management projects with 5+ years experience in cloud and big data tech