Home > other >  How to allow access to a folder in AWS s3 and deny access to all other folder?
How to allow access to a folder in AWS s3 and deny access to all other folder?

Time:06-28

I want to allow access to a folder with certain file extension. I have this policy created:

{
    "Version": "2012-10-17",
    "Id": "Policy1464968545158",
    "Statement": [
        {
            "Sid": "allow-policy-1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123123:user/myuser-s3-uploader"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/only-allowed-folder/*/*.jpg",
                "arn:aws:s3:::my-bucket/only-allowed-folder/*/*.jpeg",
                "arn:aws:s3:::my-bucket/only-allowed-folder/*/*.png"
            ]
        },
        {
            "Sid": "allow-policy-2",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

With this policy, I get access denied always. If I remove the second one, however, allow-policy-2, it works.

I also replaced "Principal" : "*" with "arn:aws:iam::123123:user/myuser-s3-uploader" but get the same behaviour.

Is this because Deny has precedence over Allow? Is there a way to achieve this?

FYI, I am using AWS SDK to generate a presigned URL with the same user and then my front-end is using that presigned URL to upload/PUT files. I couldn't find a way to handle this via presigned URL.

CodePudding user response:

Remove deny policy (that you named "allow-policy-2"). On default there is no access granted to any object so I don't see the point of adding deny policy and it looks like it overrides allow policy that you have created as first in the statement ("allow-policy-1")

  • Related