0

I have a bucket "mybucket" in which there is a folder "myfolder". In the same bucket there is also another folder "notmyfolder".

This is the policy that I think "should" work.

{
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
             "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "myfolder",
                        "myfolder/*"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        }
    ]
}

But testing with the policy simulator trying to do GetObject on a file in myfolder gets denied.

If I change it to

{
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::pangea-configuration/myfolder/*"
            ]
        }
    ]
}

Now the simulator says I can access the file in myfolder. But it also lets me access a file in notmyfolder.

what am I missing here?

Jack-of-some
  • 309
  • 3
  • 12
  • Where exactly is `notmyfolder` located? In `myfolder`? Your question is unclear. – Marcin May 22 '23 at 23:52
  • It would appear that _something else_ is granting permission to access `notmyfolder`. Try temporarily removing the above permissions and then try to access `notmyfolder` to determine what is happening. – John Rotenstein May 23 '23 at 00:15
  • @Marcin I modified the text to be more explicit. They are both top level folders in the same bucket. – Jack-of-some May 23 '23 at 00:16
  • Second policy is correct. its not possible for you toaccess `notmyfolder` using it, unless you have other policies (not showed in the question) which allow that. – Marcin May 23 '23 at 00:21
  • @JohnRotenstein might have been some kind of caching issue, cause now notmyfolder is correctly blocked in all cases. So, one issue down. Still no idea why the first policy doesn't work for the file in myfolder though. – Jack-of-some May 23 '23 at 00:26
  • @Marcin yeah, I couldn't figure that out either. I think it was some kind of caching issue. I repro'ed it 3 times before. But now it won't allow access to notmyfolder, so that part is good. But what is wrong with the first policy. It is almost and exact match to what I found in the AWS docs. – Jack-of-some May 23 '23 at 00:29
  • Can you point us to where you saw `s3:prefix` being used? I suspect that it is used with `ListObject` but not `GetObject`. – John Rotenstein May 23 '23 at 00:36

2 Answers2

2

The policy you've shown doesn't allow any access to objects because the resource you've indicated (arn:aws:s3:::mybucket) is a bucket ARN, not an object ARN. You've allowed an object-level action against a bucket ARN, which won't do anything useful.

The resource should be arn:aws:s3:::mybucket/myfolder/*. And you don't need any condition in the IAM policy because the default is to implicitly deny. The policy will not allow any access to objects under the notmyfolder prefix.

jarmod
  • 71,565
  • 16
  • 115
  • 122
0

in the initial configuration you are omitting some permissions. Since in addition to the permissions on the prefix you must be able to list the objects inside the bucket, not just its folder.

You can check the step by step in the following link:

https://repost.aws/knowledge-center/iam-s3-user-specific-folder

Greetings

Mariague
  • 1
  • 1