IAM Policy to allow deletion only from specific folders of a S3 bucket

Question

I have a bucket: s3://mybucket

I want to allow deletion only for objects under s3://mybucket/test

I tried the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1604573937792",
            "Action": [
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket/",
                "arn:aws:s3:::mybucket/*"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "test/*"
                }
            }
        }
    ]
}

However, the IAM policy simulator trying to delete the object arn:aws:s3:::mybucket/test/x.txt fails saying "implicitly denied (no matching statements)". What should I change?

score 0 · Answer 1 · answered Nov 05 '20 at 21:41

If you look at Actions, resources, and condition keys for Amazon S3 - AWS Identity and Access Management, you'll notice that DeleteObject does not accept a Prefix.

Instead, you can use:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::mybucket/text/*"
        }
    ]
}

IAM Policy to allow deletion only from specific folders of a S3 bucket

1 Answers1