AWS S3 — Folder restrictions using pattern
AWS Policy allows to restrict the permissions to an S3 resource(s) using pattern. The most often requirement is to restrict a specific users to list hierarchy of folder(s) and read/write/delete actions to certain folders.
Since, S3 is not a conventional file system, every object path is a referenced as S3 prefix. To restrict the users permissions, the AWS policy must include conditions to match the prefix or resource pattern of the objects.
Let’s solve some specific use cases and derive at the policy and attach it to IAM User.
The user must have the permission to list a folder -recursively.
In the above policy, the user attached to policy will have access to list the bucket objects matching the pattern dev/*. The condition of StringLike is only applicable for list operations and not for read, write or delete.
The user must have permission to read/write/delete to specific folder matching pattern.
The policy is updated to allow list all the objects under dev folder recursively but also to Read, Write and Delete the objects only under the inbound folder matching the pattern. If the user tries to perform any operation on the parent folder not matching the pattern will be denied.
The policy must be dynamic to allow folders matching the username.
In the policy (dev) is replaced with the aws username. Users with same name as the S3 folders can be created and mapped using the ${aws:username} parameter. This will allow to manage the folder restrictions dynamically.
Additional Resources: