Need particular folder level access in S3 - amazon-web-services

I am creating a user test in AWS IAM access . Also create a bucket name AWS-test,Under this bucket there is a folder called 'newfol' . I want to give permission to test user to particular newfol folder . test user only can upload file in newfol folder and also that user not able to see any other bucket or any other folder which is present under AWS-test .
I am written below json for that . But using that I able to enter AWS-test bucket and check all folder over there and upload file in all folder under AWs-test .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::AWS-test"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::AWS-test/newfol/*"
}
]
}

The first part of your json will get a list of all objects in the AWS-test bucket. If you just want them to be able to upload to the newfol folder, then delete the first part of the json and it should work.

Related

Amazon Cognito and S3: Read/write permissions for specific folder only

I'm trying to allow my AWS Cognito users to be able to upload their files in their own folder inside my S3 bucket. They should also be able to read them back. But no one should be able to upload files to any other folder, nor should they be able to read anything from any other folder.
Therefore, I'm creating each user's folder using their Cognito username and putting their files therein. But I just found that usernames are unique only within the User Pool in which they are created, so I want to include both the pool id and username in the Resource path.
I have found the variable for username (${aws:username}), but haven't been able to locate anything for pool id (${USER_POOL_ID_VARIABLE} placeholder below). Can someone help me with this and also check if the policy I have created below is okay for my purpose?
(Alternately, I'm okay if we could find some variable that is globally unique and could be used instead of creating two levels hierarchy):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my.bucket/${USER_POOL_ID_VARIABLE}/${aws:username}/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my.bucket/${USER_POOL_ID_VARIABLE}/${aws:username}/*"
]
}
]
}

AWS S3 policy restrict folder delete

I have a S3 bucket named "uploads" with this structure:
uploads|
|_products
|_users
|_categories
|_...
I want restrict users from deleting folders (products, users, ...) but they can delete objects inside those folers. My policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::uploads",
"arn:aws:s3:::uploads/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::uploads/banners/*",
"arn:aws:s3:::uploads/brands/*",
"arn:aws:s3:::uploads/categories/*",
"arn:aws:s3:::uploads/products/*",
"arn:aws:s3:::uploads/users/*"
]
}
]
}
But i tested and user was able to delete folder, where did i go wrong?
Folders do not exist in Amazon S3.
If an object is created (eg banners/sale.jpg), then the banners directory will magically appear. Then, if that object is deleted, then the directory will magically disappear. This is because directories do not exist in Amazon S3.
So, you need not worry about people deleting a directory because it will automatically reappear when an object is created in that path.
If the Create Folder button is used in the S3 management console, a zero-length object is created with the same name as the directory. This forces the directory to 'appear' (even though it doesn't exist).
From your description, it sounds like the user has the ability to delete the zero-length object, since it has the same path as the Resource you have specified. If so, then there is no way to prevent this from happening purely from a Policy.

Restrict file uploading to bucket root (pre-signed Form)

Is there a way to restrict the file upload via html forms (pre-signed POST) to the root folder?
The docs describes uploading into a specific folder with the starts-with condition.
But I can't see a way to restrict uploading to the bucket root (or any specific folder, without the ability to generate additional subfolders).
This bucket is only for uploading and any files that are accepted will move into another bucket. Because of that I don't want folders in there....
You will need an S3 Policy to deny actions where the resource contains a /. Add this to your S3 Bucket resource policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyObjectOthers",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket/*/*"
]
}
]
}

Deny permission to specific user of specific folder inside S3 bucket

In AWS S3, I have one bucket named "Environments" under that I have 4 folders named "sandbox", "staging", "prod1" and "prod2" respectively and the permission of the whole bucket is "public".
Now I want to restrict One AWS user named "developer" to write anything into "prod1" and "prod2" folder but it can view them.
Kindly help me out with this
Create below policy and attach to a user developer
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::Environments",
"arn:aws:s3:::Environments/sandbox/*",
"arn:aws:s3:::Environments/staging/*",
]
}
]
}
This policy allows to full permission to folder sandbox and staging, but restrict another folder to user developer

Amazon S3 Folder Level Permissions

I am using Amazon S3 to archive my client's documents within a single bucket and a series of folders as such, to distinguish each client.
MyBucket/0000001/..
MyBucket/0000002/..
MyBucket/0000003/..
My clients are now looking for a way to independently backup their files to their local machine. I'd like to create a set of permissions at a given folder level to view/download those files only within a specific folder.
I'm looking to do this outside the scope of my application, by this I mean, I'd like to create a set of permissions in the S3 browser and tell my clients to use some 3rd Party App to link to their area. Does anybody know if this is possible? I'm opposed to writing a module to automate this as at present as their simply isn't a big enough demand.
You can use IAM policies in conjunction with bucket policies to manage such access.
Each individual client would need their own IAM profile, and you would set up policies to limit object access to only those accounts.
Here is the AWS documentation:
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingIAMPolicies.html
I would particularly point out Example 1 in that document, which does exactly what you want.
Please refer to the following policy to restrict the user to upload or list objects only to specific folders. I have created a policy that allows me to list only the objects of folder1 and folder2, and also allows to put the object to folder1 and deny uploads to other folders of the buckets.
The policy does as below:
1.List all the folders of bucket
2.List objects and folders of allowed folders
3.Uploads files only to allowed folders
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowListingOfFolder1And2",
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::bucketname"
],
"Condition": {
"StringNotLike": {
"s3:prefix": [
"folder1/*",
"folder2/*"
]
},
"StringLike": {
"s3:prefix": "*"
}
}
},
{
"Sid": "Allowputobjecttofolder1only",
"Effect": "Deny",
"Action": "s3:PutObject",
"NotResource": "arn:aws:s3:::bucketname/folder1/*"
}
]
}