Do you have a problem understanding S3 IAM Policies and Directives ? Can't quite wrap your head around their documentation ? I did.
I had a situation where I had to lock out several IAM users from a particular folder, and several buckets, except one, and most of their solutions and example solutions were about as clear as mud as far as I was concerned. After scouring the web and not finding what I was looking for I came upon a resource (http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke) that was clear and actually helpful, but it did need some modification, and result is the policy you see below....
What it does is allows the user access to a particular folder within a bucket, but DENIES access to any other listed folder in the same bucket. Mind you, you will not be able to block them from viewing the contents of the folder, nor will you block them from seeing that there are other buckets, that can't be helped. However, they won't have access to the bucket/folder of your choice.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
},
{
"Action": [
"s3:*"
],
"Sid": "Stmt1375581921000",
"Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
],
"Effect": "Deny"
}
]
}
来源:https://stackoverflow.com/questions/18039285/amazon-s3-bucket-and-folder-policy-for-iam-access