Restrict Access to S3 Subfolder

Question

I have the following bucket structure

--- MyBucket.Secure
------Database
---------App1
---------App2

I need to update my IAM role to only allow get/list on MyBucket.Secure/Database/App1.

My situation is similar to the AWS docs on restricting a user folder: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-s3-home-directory

Having read the guide I came up with the following policy to try and meet the restriction I require:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1408970346000",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
              "Effect": "Allow",
              "Action": "s3:ListBucket",
              "Resource": "arn:aws:s3:::MyBucket.Secure",
              "Condition": {"StringLike": {"s3:prefix": [
                "",
                "Database/",
                "Database/App1/*"
              ]}}
        },        
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::MyBucket.Secure/Database/App1",
                "arn:aws:s3:::MyBucket.Secure/Database/App1/*"
            ]
        }
    ]
}

When I use the above policy though I get the following error: A client error (403) occurred when calling the HeadObject operation: Forbidden

Any ideas what else I should change to get this going?

Are you happy for them to see a listing of all bucket names, but you merely want to restrict their ability to Get/List the content of a particular path? If so, try it without the Condition -- the resource should be sufficient. — John Rotenstein, Apr 20 '17 at 21:37
Thanks for the response. I tried removing just the condition and it reverts back to the error: fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden I've tried all sorts and just can't get it to work! The only way I can get it going is by allowing access from the root: "arn:aws:s3:::MyBucket.Secure", "arn:aws:s3:::MyBucket.Secure/*" — iFunky, Apr 21 '17 at 12:23

score 0 · Answer 1 · answered Apr 21 '17 at 13:12

Your policy worked perfectly well for me when issuing a command like:

aws s3 ls s3://MyBucket.Secure/Database/App1/

(Of course, I used my own bucket to test it.)

However:

Remove the empty string ("") from the s3:prefix section otherwise the user can also list the root of the bucket
Remove s3:List* at the bottom -- it's not needed

Restrict Access to S3 Subfolder

1 Answers1