I'm using cyberduck on mac and I'm trying to prevent the user from accessing the certain directories via IAM policy for s3. I have it working to the point where it will block the user from accessing a folder namespace they are not supposed to, but one thing I noticed is that the user can still access files at the level above their designated folder (the folder the user is allowed to access is called images) from within cyberduck. example:
/images/
/afile1
/afile2
/afile3
/restrictedFolder1/
/restrictedFolder2/
so what I'm wondering is, if I can restrict access to the files outside of that user's folder or if i can't then can I hide those files (or just nor return them in the query) via IAM?
my policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowListingOfBrandcentralPRDBucket",
"Action": [
"s3:ListBucket",
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"images/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "ListObjectsForTheImagesFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringNotEquals": {
"s3:prefix": [
"images/initial/",
"images/REJECTED/",
"assets/"
]
}
}
},
{
"Sid": "GrantPromissionsForTheImagesFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::mybucket/images/*"
]
}
]
}