AWS IAM Policy to Provide Specific S3 Bucket and Folder Permission
To grant a user access to a specific folder in your Amazon S3 bucket, use below IAM policy:
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Sid": "VisualEditor0",
6 "Effect": "Allow",
7 "Action": "s3:GetBucketLocation",
8 "Resource": "arn:aws:s3:::*"
9 },
10 {
11 "Sid": "VisualEditor1",
12 "Effect": "Allow",
13 "Action": "s3:ListBucket",
14 "Resource": "arn:aws:s3:::<Bucket-name>",
15 "Condition": {
16 "StringEquals": {
17 "s3:prefix": [
18 "",
19 "test-folder/",
20 "test-folder/sub-test-folder"
21 ],
22 "s3:delimiter": "/"
23 }
24 }
25 },
26
27 {
28 "Sid": "VisualEditor2",
29 "Effect": "Allow",
30 "Action": "s3:ListBucket",
31 "Resource": "arn:aws:s3:::<Bucket-name>",
32 "Condition": {
33 "StringLike": {
34 "s3:prefix": "test-folder/sub-test-folder/*"
35 }
36 }
37 },
38 {
39 "Sid": "VisualEditor3",
40 "Effect": "Allow",
41 "Action": "s3:ListAllMyBuckets",
42 "Resource": "arn:aws:s3:::*"
43 },
44 {
45 "Sid": "VisualEditor4",
46 "Effect": "Allow",
47 "Action": "s3:*Object",
48 "Resource": [
49 "arn:aws:s3:::<Bucket-name>/test-folder/sub-test-folder/*"
50 ]
51 }
52 ]
53}
Note: *Instead of *Object you can provide, specific object level permission.