AWS: Allowing S3 Access and Managing Sub - Folders

Amazon Simple Storage Service (S3) is a highly scalable, reliable, and cost - effective object storage service provided by Amazon Web Services (AWS). One of the common requirements in working with S3 is to manage access to buckets and sub - folders within them. This blog post will explore the core concepts, typical usage scenarios, common practices, and best practices related to allowing S3 access and working with sub - folders.

Table of Contents#

  1. Core Concepts
  2. Typical Usage Scenarios
  3. Common Practices
  4. Best Practices
  5. Conclusion
  6. FAQ
  7. References

Article#

Core Concepts#

Amazon S3 Buckets#

An S3 bucket is a top - level container for storing objects in Amazon S3. Buckets are created in a specific AWS region and have a globally unique name. All objects in S3 are stored within buckets.

S3 Objects and Folders#

In S3, there are no traditional folders like in a file system. Instead, the concept of a "folder" is emulated by using a naming convention. An object's key (the name of the object) can include a forward slash (/) to create a hierarchical structure. For example, an object with the key documents/reports/quarterly_report.pdf gives the appearance of being inside a reports sub - folder within a documents folder.

Access Control#

AWS provides multiple ways to control access to S3 buckets and objects:

  • Bucket Policies: JSON - based access policies that are attached to S3 buckets. They can be used to grant or deny access to specific AWS accounts, IAM users, or IP addresses.
  • IAM Policies: Identity and Access Management (IAM) policies can be attached to IAM users, groups, or roles. These policies can be used to define what actions an IAM principal can perform on S3 resources.
  • Access Control Lists (ACLs): Fine - grained access control mechanisms that can be used to grant or deny permissions at the object or bucket level.

Typical Usage Scenarios#

Data Sharing#

A company may want to share certain datasets stored in an S3 bucket with external partners. By allowing access to specific sub - folders, the company can ensure that only the relevant data is accessible to the partners.

Multi - tenant Applications#

In a multi - tenant application, each tenant's data can be stored in a separate sub - folder within an S3 bucket. By controlling access to these sub - folders, the application can ensure that each tenant can only access their own data.

Development and Testing#

During the development and testing process, different teams or developers may need access to different parts of an S3 bucket. By allowing access to specific sub - folders, each team can work independently without interfering with others.

Common Practices#

Using Bucket Policies#

To allow access to a specific sub - folder within an S3 bucket, you can use a bucket policy. Here is an example of a bucket policy that allows an IAM user to list and get objects in a sub - folder named my_sub_folder:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserAccessToSubFolder",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/myuser"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/my_sub_folder/*"
            ]
        }
    ]
}

Using IAM Policies#

You can also use an IAM policy attached to a user, group, or role. Here is an example of an IAM policy that allows a role to access a sub - folder:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/my_sub_folder/*"
            ]
        }
    ]
}

Best Practices#

Least Privilege Principle#

Always follow the least privilege principle when granting access to S3 resources. Only grant the minimum set of permissions required for a user or role to perform their tasks. For example, if a user only needs to read objects from a sub - folder, do not grant them write permissions.

Regularly Review and Update Policies#

As your organization's requirements change, regularly review and update your S3 access policies. Remove any unnecessary permissions and ensure that the policies are up - to - date with the latest security best practices.

Use IAM Roles for Temporary Access#

When providing access to external users or services, use IAM roles with temporary credentials. This reduces the risk of long - term credential exposure.

Conclusion#

Managing access to S3 buckets and sub - folders is a crucial aspect of working with Amazon S3. By understanding the core concepts, typical usage scenarios, common practices, and best practices, software engineers can ensure that their S3 resources are secure and accessible only to authorized users.

FAQ#

Q1: Can I use both bucket policies and IAM policies together?#

Yes, you can use both bucket policies and IAM policies together. The effective permissions for an IAM principal are determined by the intersection of the permissions granted by the bucket policy and the IAM policy.

Q2: How can I revoke access to an S3 sub - folder?#

You can revoke access by removing the relevant statements from the bucket policy or IAM policy. If you are using ACLs, you can modify the ACL to remove the permissions.

Q3: Are there any limitations to the number of policies I can attach to an S3 bucket?#

Yes, there are limitations. An S3 bucket can have a maximum of one bucket policy, and there are also limits on the size of the policy document.

References#

2025-10