0

I have an s3 bucket with two folders (folder1 & folder2), I want all IAM users to access folder1 but only admins to access folder2.

So what I did is:
For admins: I added them to a group with s3 full access policy.

For other users: I added them to another group with the policy below.

This should work perfectly but for some reason when the users try to access folder2, the ones who used "Cyber Duck" got permission denied which is the required, but some of who used "ExpanDrive" were able to access folder2.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucket",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "DenyFolder2Access",
            "Effect": "Deny",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "folder2/*"
                }
            }
        }
    ]
}

I cant see whats wrong here and I would appreciate any help with this.

Zaid Afaneh
  • 114
  • 1
  • 10
  • This might help: [How can I grant a user access to a specific folder in my Amazon S3 bucket?](https://aws.amazon.com/premiumsupport/knowledge-center/s3-folder-user-access/) – jarmod Mar 29 '21 at 22:18
  • If your purpose is to allow all IAM users access to folder1 and admin users with access to folder1 and folder2 then write two IAM policies that allow access to the relevant objects: `arn:aws:s3:::bucket_name/folder1/*` for all IAM users (including admins) and `arn:aws:s3:::bucket_name/folder2/*` for just the admin users. You probably don't need to use deny here. – jarmod Mar 29 '21 at 23:26

0 Answers0