I want to use IAM user policies to restrict access to specific folders within Amazon S3 buckets.

You can use AWS Identity and Access Management (IAM) user policies to control who has access to specific folders in your Amazon Simple Storage Service (Amazon S3) buckets.

Single-user policy - This example policy allows a specific IAM user to see specific folders at the first level of the bucket and then to take action on objects in the desired folders and subfolders. This example uses an IAM user named David and a bucket named my-company with the following structure:

/home/Adele/
/home/Bob/
/home/David/
/restricted/
/root-file.txt

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::my-company/home/David/*"]
   }
 ]
}

The Amazon S3 console uses the slash (/) as a special character to show objects in folders. The prefix (s3:prefix) and the delimiter (s3:delimiter) help you organize and browse objects in your folders.

Multiple-user policy - In some cases, you might not know the exact name of the resource when you write the policy. For example, you might want to allow every user to have their own objects in an Amazon S3 bucket, as in the previous example. However, instead of creating a separate policy for each user that specifies the user's name as part of the resource, you can create a single group policy that works for any user in that group.

You can do this by using policy variables, which allow you to specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the request itself.

This example shows a policy for an Amazon S3 bucket that uses the policy variable ${aws:username}:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-company"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "home/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-company"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "home/${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-company/home/${aws:username}/*"
            ]
        }
    ]
}

Note: Only StringLike recognizes an asterisk (*) as wildcard. StringEquals does not.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-07-26

Updated: 2018-01-15