So I was wanting to have folders that would be named the same as a logged in IAM user - so if I had a user named "Bob", the key structure would be:
- My Bucket
- Bob
- Bob's stuff
- Mary
- Mary's stuff
and I wanted a policy to prevent Bob from being able to look into Mary's folder and likewise for Bob.
Initially, I tried:
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket/${aws:username}"
but it would throw
Action does not apply to any resource(s) in statement
To achieve this goal, having this in the policy as a section:
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:username}/*"
}
}
worked for me.
Here are some example policies that may help, for in the future.