I have a group policy that allows full access to several S3 buckets.
This policy allows read and write to the bucket.
The team that uses these buckets wants that one of the folders will be read-only for their group without the ability to write or delete its contents.
How do I provide that while still allowing them to have full access to all the other folders?
To allow access to "every folder except one", you will need to use an Allow policy and a Deny policy. This is because a Deny always overrides an Allow.
You should put the desired IAM Users into an IAM Group, then add a policy like this to the IAM Group:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*",
},
{
"Effect": "Deny",
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/read-only-path/*",
}
]
}
Be a little careful with the Allow — it is not good practice to grant s3:* to the bucket since this is probably giving them too much permission. So, trim it down to what they actually need.