2

I have a specific folder in my bucket that I would like to restrict to only certain file types. I currently have the following:

{
    "Version": "2012-10-17",
    "Id": "Policy1464968545158",
    "Statement": [
        {
            "Sid": "Stmt1464968483619",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder/*"
            ]
            "Condition": {
                "StringNotEquals": {
                  "s3:prefix": ".txt",
                  "s3:prefix": ".doc"
                }
            },
        }
    ]
}

I need something to replace s3:prefix so that instead of looking at the beginning of the file and path, the system is looking at the end. I tried s3:suffix, but this isn't a valid property.

Is there a S3 property that does a wildcard search at the end of the file name so I can whitelist only certain file types for my folder?

Lloyd Banks
  • 35,740
  • 58
  • 156
  • 248

2 Answers2

4

You should be able to define it in the Resource using wildcard. Use Effect: Allow if you want folder to be restricted to .txt and .doc only.

{
    "Version": "2012-10-17",
    "Id": "Policy1464968545158",
    "Statement": [
        {
            "Sid": "Stmt1464968483619",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder/*.doc",
                "arn:aws:s3:::my-bucket/my-folder/*.txt"
            ]
        }
    ]
}
A.Khan
  • 3,826
  • 21
  • 25
1

The same way as Deny Effect is used you can use allow effect. Both the examples are as below:

Allow only specific ones and deny specific ones if needed....

{
  "Version": "2012-10-17",
  "Id": "Policy1464968545158",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Allow",
      "Principal": {
        "AWS": "IAM-USER-ARN"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::bucket-name/*.doc",
        "arn:aws:s3:::bucket-name/*.txt"
      ]
    },
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "NotResource": [
        "arn:aws:s3:::bucket-name/*.png",
        "arn:aws:s3:::bucket-name/*.gif"
      ]
    }
  ]
}
Krunal Barot
  • 914
  • 6
  • 17