# Public and Private files access

So far we have assigned a role to our authenticated users, who can List the files inside the configured document bucket.&#x20;

Now let's restrict this access further to only allow to `/public-files/` folder and their own folder. The below policy will ensure that the application can only have default read access to the public-files folder.&#x20;

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfPublicFolder",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<S3 files bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "public-files/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<S3 files bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "users/${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowReadAccessOfPublicFolder",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::<S3 files bucket>/public-files",
                "arn:aws:s3:::<S3 files bucket>/public-files/*"
            ]
        },
        {
            "Sid": "ReadWriteDeleteOwnFiles",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::<S3 files bucket>/users/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}
```

After updating the policy users can now read the public files and get full access to their own folders.&#x20;

{% hint style="info" %}
We are using the Cognito variables inside the IAM Policies to have dynamic permissions.
{% endhint %}

![Private folder access is available](https://1642315733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MCam2LtfwWxgwwpbHcu%2F-MCecprnJ7akxdXNzxi-%2F-MCeoMYCsiwZ2Tm_DWEP%2FScreen%20Shot%202020-07-20%20at%2011.32.37%20AM.png?alt=media\&token=9043b35b-8f3c-4cde-84a6-31c2ec5e5517)

{% hint style="info" %}
After applying the above policy if you continue seeing the **Access Denied** error then logout and login again. This will create a new session with an updated policy token.&#x20;
{% endhint %}

Upload a new file and confirm the access.&#x20;

![New file uploaded in user folder](https://1642315733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MCam2LtfwWxgwwpbHcu%2F-MCeoqJxdwR5KtKqHfDU%2F-MCep9z37moFxbQW0vCE%2FScreen%20Shot%202020-07-20%20at%2011.35.59%20AM.png?alt=media\&token=e5c2338f-ba3e-47b9-8d9c-7456233eaff5)