I have an S3 bucket containing objects and I have a catalog in DynamoDB where I have information about the S3 objects such as
- id (the primary key) corresponding to the object path in the S3
- creation date,
- extension, and several others.
I want to create an IAM policy to allow someone to ONLY see the S3 objects where the extension field in DynamoDB is .json.
I have not seen anything in the documentation : https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html
Do you have any idea ?
The only way to do it is to have a bucket dedicated to the files on S3 and limit the users visibility to that bucket.
If you remove an item from DynamoDB,you would also remove the item from S3 or change it's bucket.
IAM cannot read DynamoDB so you cannot have a policy determined by your items unless you build a complete custom authorisation mechanism.