Public and Private files access

So far we have assigned a role to our authenticated users, who can List the files inside the configured document bucket.

Now let's restrict this access further to only allow to /public-files/ folder and their own folder. The below policy will ensure that the application can only have default read access to the public-files folder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfPublicFolder",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<S3 files bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "public-files/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<S3 files bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "users/${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowReadAccessOfPublicFolder",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::<S3 files bucket>/public-files",
                "arn:aws:s3:::<S3 files bucket>/public-files/*"
            ]
        },
        {
            "Sid": "ReadWriteDeleteOwnFiles",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

After updating the policy users can now read the public files and get full access to their own folders.

We are using the Cognito variables inside the IAM Policies to have dynamic permissions.

After applying the above policy if you continue seeing the Access Denied error then logout and login again. This will create a new session with an updated policy token.

Upload a new file and confirm the access.

PreviousValidate the Access Permissions NextUpload Files to S3

Last updated 4 years ago

Was this helpful?

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfPublicFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<S3 files bucket>", "Condition": { "StringLike": { "s3:prefix": [ "public-files/*" ] } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<S3 files bucket>", "Condition": { "StringLike": { "s3:prefix": [ "users/${cognito-identity.amazonaws.com:sub}/*" ] } } }, { "Sid": "AllowReadAccessOfPublicFolder", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<S3 files bucket>/public-files", "arn:aws:s3:::<S3 files bucket>/public-files/*" ] }, { "Sid": "ReadWriteDeleteOwnFiles", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}/*" ] } ] }