0

I am trying to limit a deny a specific user list, read, and write access to a specific folder in my bucket. I am able to allow the user to see other folders, but on adding a deny policy to the account (added through groups), I get an access denied message.

This is what I have for the deny access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::myBucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": "Admin/*"
        }
      }
    }
  ]
}

In theory, I would like to limit a certain user to not be able to do the above regarding the Admin folder, however they still need to be able to view the bucket for other folders.

I have also tried:

{
  "Id": "Policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1516743098844",
      "Action": [
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::mybucket/Admin/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::11111111:user/Jenny"
        ]
      }
    }
  ]
}

Both of the above JSON statements were created using the Policy Generator for S3 Bucket Policy and IAM Policy.

Any clue on how to deny list access to a folder but allow viewing the bucket?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Mike
  • 23
  • 1
  • 3
  • I'm not sure this will apply to your use case, but have you thought of having a different bucket for your `admin` stuff? That will make permissions management much easier and less error-prone. – Viccari Jan 24 '18 at 00:00
  • That will be my next step once I get back to a computer. I am guessing have a allow listbucket and deny list in the same group may be throwing the access denied – Mike Jan 24 '18 at 03:14

1 Answers1

0

Your first statement works perfectly fine for me!

$ aws s3 ls s3://my-bucket/
                           PRE Admin/
                           PRE other/
2018-01-23 16:33:07      15091 cat.jpg

$ aws s3 ls s3://my-bucket/other/
2018-01-23 16:34:02         91 foo

$ aws s3 ls s3://my-bucket/Admin/

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks for the comments, when I add both policies to the group which the user is apart of, the user gets an access denied just trying to view the bucket. Back to the drawing board to see what I am doing wrong – Mike Jan 24 '18 at 02:19