AWS S3 policy restrict folder delete

Question

I have a S3 bucket named "uploads" with this structure:

uploads|
       |_products
       |_users
       |_categories
       |_...  

I want restrict users from deleting folders (products, users, ...) but they can delete objects inside those folers. My policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectTagging",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:GetObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::uploads",
                "arn:aws:s3:::uploads/*"
            ]
        },

        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::uploads/banners/*",
                "arn:aws:s3:::uploads/brands/*",
                "arn:aws:s3:::uploads/categories/*",
                "arn:aws:s3:::uploads/products/*",
                "arn:aws:s3:::uploads/users/*"
            ]
        }

    ]
} 

But i tested and user was able to delete folder, where did i go wrong?

Answer 1

Folders do not exist in Amazon S3.

If an object is created (eg banners/sale.jpg), then the banners directory will magically appear. Then, if that object is deleted, then the directory will magically disappear. This is because directories do not exist in Amazon S3.

So, you need not worry about people deleting a directory because it will automatically reappear when an object is created in that path.

If the Create Folder button is used in the S3 management console, a zero-length object is created with the same name as the directory. This forces the directory to 'appear' (even though it doesn't exist).

From your description, it sounds like the user has the ability to delete the zero-length object, since it has the same path as the Resource you have specified. If so, then there is no way to prevent this from happening purely from a Policy.