S3 bucket policy - object level?

Question

Is it possible to give specific object level permissions only ie only objects that match /file.txt but anywhere within a given bucket?

    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam:accountARN"
        },
        "Action": [
            "s3:GetObject",
            "s3:ListBucket",
            "s3:GetObjectVersion",
            "s3:GetBucketVersioning",
            "s3:ListBucketVersions"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/thing1/thing2/*/*/*/file.txt"            ]
    }

in that my S3 dir structure is:

bucket/thing1/thing2/2021/01/22/file.txt

so my goal is that anywhere file.txt exists under thing2 (since the date folders are dynamic) this user should have access to.

Not sure if something like this would work? in fact I'm almost sure it won't

"arn:aws:s3:::bucket/thing1/thing2/*/*/*/file.txt"

I tried looking at using conditionals but that didn't make too much sense for my use-case.

https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#condition-key-bucket-ops-2

jellycsc jellycsc · Accepted Answer · 2021-02-05T15:16:50

0

votes

I think the following would work.

arn:aws:s3:::bucket*/file.txt

S3 bucket policy - object level?

2 Answers