Why cant I access a specific folder or Amazon S3 bucket?
Recently, I had a chance to work on Amazon S3 policy creation to restrict the access to specific folder inside the bucket for specific users. Show I have seen the below description on Amazon docs:
If you applied the above policy, need to enter the exact path to access the files, it won’t list the bucket or folders inside the bucket when you access the account from Amazon web interface or s3ftp tools. But my requirement is to list the buckets and folders but restrict the access to specific folder. My requirement: What i did is: Policy to restrict the folder accessfor example, if you have “folder1”, “folder2” folders under “bucket1”, and wanted to give the “folder1” access to “client1” users and “folder2” access to the “client2” users. Here is the policy we need to apply to the “client1” user group: Policy to apply on “client2” user group: { "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::*", "Condition": { "StringLike": { "s3:prefix": "folder1/*" } } } ] }In above policies, we added two actions, one will allow all the resources and the other deny the particular folder access. Policy to restrict the bucket accessIf you created the different buckets (bucket1, bucket2), wanted to give the “bucket1” access to “client1” and “bucket2” access to the “client2” then: Here is the policy to apply on “client1” user group: { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "NotResource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/*" ] }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/*" ] } ] } }Policy to apply on “client2” user group: I have solved this on my own, I have a bucket policy which restricts users to only upload a certain type of file. So create folder does not work automatically. The bucket policy i used is mentioned below as reference. { "Version": "2012-10-17", "Id": "Policy1657799010112", "Statement": [ { "Sid": "Stmt1657798687256", "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::testbucketforuploadlimitation/Retailer 1/Latest/Start*.gz", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 2/Latest/Dollar/TrendedDetails-Dollar*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 2/Latest/Unit/TrendedDetails-Unit*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 3/Latest/0*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 3/Latest/1*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 4/Latest/Start*.gz", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 5/Latest/Start*.gz", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 6/Latest/TY/Start*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 6/Latest/YA/Start*.xlsx" ] }, { "Sid": "Stmt1657798687256", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "NotResource": [ "arn:aws:s3:::testbucketforuploadlimitation/Retailer 1/Latest/Start*.gz", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 2/Latest/Dollar/TrendedDetails-Dollar*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 2/Latest/Unit/TrendedDetails-Unit*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 3/Latest/0*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 3/Latest/1*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 4/Latest/Start*.gz", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 5/Latest/Start*.gz", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 6/Latest/TY/Start*.xlsx", "arn:aws:s3:::testbucketforuploadlimitation/Retailer 6/Latest/YA/Start*.xlsx" ] } ]} How do I give access to a specific directory in S3 bucket?If the IAM user and S3 bucket belong to the same AWS account, then you can grant the user access to a specific bucket folder using an IAM policy. As long as the bucket policy doesn't explicitly deny the user access to the folder, you don't need to update the bucket policy if access is granted by the IAM policy.
Why is my S3 bucket Access Denied?If you're getting Access Denied errors on public read requests that are allowed, check the bucket's Amazon S3 Block Public Access settings. Review the S3 Block Public Access settings at both the account and bucket level. These settings can override permissions that allow public read access.
Which features can restrict access to S3?Using Amazon S3 Block Public Access as a centralized way to limit public access. Block Public Access settings override bucket policies and object permissions. Be sure to enable Block Public Access for all accounts and buckets that you don't want publicly accessible.
Can S3 bucket be accessed from any region?S3 Multi-Region Access Points provide a single global endpoint to access a data set that spans multiple S3 buckets in different AWS Regions. This allows you to build multi-region applications with the same simple architecture used in a single region, and then to run those applications anywhere in the world.
|