search

Public and Private files access

So far we have assigned a role to our authenticated users, who can List the files inside the configured document bucket.

Now let's restrict this access further to only allow to /public-files/ folder and their own folder. The below policy will ensure that the application can only have default read access to the public-files folder. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfPublicFolder",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<S3 files bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "public-files/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<S3 files bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "users/${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowReadAccessOfPublicFolder",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::<S3 files bucket>/public-files",
                "arn:aws:s3:::<S3 files bucket>/public-files/*"
            ]
        },
        {
            "Sid": "ReadWriteDeleteOwnFiles",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

After updating the policy users can now read the public files and get full access to their own folders.

circle-info

We are using the Cognito variables inside the IAM Policies to have dynamic permissions.

Private folder access is available
circle-info

After applying the above policy if you continue seeing the Access Denied error then logout and login again. This will create a new session with an updated policy token.

Upload a new file and confirm the access.

New file uploaded in user folder
PreviousValidate the Access PermissionsNextUpload Files to S3

Last updated