1

  1. How can I allow reading of all objects except a single folder and its contents? The rule below blocks me the whole bucket.. (can't read the bucket)

  2. If this feature isn't possible, how can I allow reading on files at the root but deny on all subfolders?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Sid": "ReadOnly",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Sid": "DenyOneFolder",
            "Effect": "Deny",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder",
                "arn:aws:s3:::my-bucket/my-folder/*"
            ]
        }
    ]
}

My bucket strcture:

  • my-bucket
    • my-folder
      • object3
    • object1
    • object2
Rod
  • 712
  • 2
  • 12
  • 36
  • This is an IAM policy that denies GetObject on `arn:aws:s3:::my-bucket/my-folder/*`. You don't need `arn:aws:s3:::my-bucket/my-folder`, but that shouldn't cause a problem (I'd remove it anyway). Are you 100% sure that you are able to get objects below `s3://my-bucket/my-folder/` with credentials based on this IAM policy? – jarmod Apr 07 '20 at 15:27
  • Yes, same behavior without `arn:aws:s3:::my-bucket/my-folder`.. however, without the `Deny` rule i have access to the whole bucket. So, yes, I'm confirming that I have a problem with the `Deny` rule. :( – Rod Apr 07 '20 at 15:35
  • How are you testing this? If you use the aws console to download object that's not valid, you must access the url directly. – Radu Diță Apr 07 '20 at 15:48
  • @RaduDiță why is that not valid? Assuming that the user logged in with IAM User credentials associated with this policy. – jarmod Apr 07 '20 at 15:50
  • OK, I'm assuming the mistake here is that you are conflating 'listing' with 'getting'. You can't prevent this IAM user listing a subset of the objects in the bucket. But this policy will prevent the IAM user 'getting' the objects under s3://my-bucket/my-folder/ where 'getting' means downloading. – jarmod Apr 07 '20 at 16:03

2 Answers2

1

You can add an explicit Deny in your bucket policy for Listing objects that matches the prefix my-folder.

Edit: This policy will work only if the list bucket request contains the prefix. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Sid": "ReadOnly",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Sid": "DenyOneFolderRead",
            "Effect": "Deny",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder/*"
            ]
        },
        {
            "Sid": "DenyOneFolderList",
            "Effect": "Deny",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket",
            "Condition" : {
                "StringEquals" : {
                    "s3:prefix": "my-folder" 
                }
            } 
        }
    ]
}
franklinsijo
  • 17,784
  • 4
  • 45
  • 63
  • How will this prevent the IAM user simply listing the entire bucket (by providing *no* prefix to the ListBuckets call)? – jarmod Apr 07 '20 at 16:13
  • Did you test this? Specifically, listing the bucket (not bucket+prefix). It will only prevent this: `aws s3 ls my-bucket/my-folder/`. It will not prevent this: `aws s3 ls my-bucket --recursive`. – jarmod Apr 07 '20 at 16:24
  • Ah, I missed that! – franklinsijo Apr 07 '20 at 16:25
0

The policy works correctly, though I would remove the Deny on arn:aws:s3:::my-bucket/my-folder because it's not useful.

I think the confusion here is that you are expecting this policy to prevent the IAM user listing and/or getting the objects under s3://my-bucket/my-folder/. It won't do that, specifically the listing part, and in fact you cannot do that. You can't control a user's ability to list the bucket at a granular level (e.g. below a specific prefix).

The policy will successfully prevent the user getting (as in downloading) objects under s3://my-bucket/my-folder/.

jarmod
  • 71,565
  • 16
  • 115
  • 122