Ejemplo de “policy” IAM en AWS para conceder acceso con control total a una carpeta concreta en un bucket S3 concreto.

 

{
    "Version": "2012-10-17",
    "Statement": [
                  {
                   "Sid": "AllowListingOfUserFolder",
                   "Action": [
                   "s3:*"
                 ],
                   "Effect": "Allow",
                   "Resource": [
                   "arn:aws:s3:::NombreDelBucket"
                 ],
                       "Condition": {
                       "StringLike": {
                       "s3:prefix": ["Carpeta/carpeta2/carpetaInterna/*"]
                       }
                     }
                   },
     {
                  "Sid": "DenyListAllFolders",
                  "Action": [
                  "s3:ListBucket"
                ],
                  "Effect": "Deny",
                  "Resource": [
                  "arn:aws:s3:::NombreDelBucket"
                ],
                  "Condition": {
                  "StringNotLike": {
                  "s3:prefix": [
                  "Carpeta/Carpeta2/carpetaInterna",
                  "Carpeta/Carpeta2/carpetaInterna/",
                  "Carpeta/Carpeta2/carpetaInterna/*"
                ]
                }
            }
           },
           {
               "Sid": "AllowAllS3ActionsInUserFolder",
               "Effect": "Allow",
               "Action": [
               "s3:*"
              ],
                "Resource": [
                "arn:aws:s3:::NombreDelBucket/carpeta/carpeta2/carpetaInterna/*"
              ]
           }
      ]
 }