I have spent weeks going in circles over this. I have a static S3 website with several 'folders'. I would like to allow public access to the 'root' and 'public' (css, javascript, etc.) folders, but want to restrict access to a 'user' folder. I set up a User Pool & Group in Cognito that works well for my users (JWTs for customer usernames), but I am having one heck of a time connecting the dots! I have tried using the IAM policy (below), but I know I'm doing something wrong. Would love any suggestions on where to go from here... Anyone see errors on my policy language? Will a policy similar to this work despite having "Block All Public Access" enabled?
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToMyBucket",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"StringEquals": {
"s3:prefix": [ "", "public/*" ],
"s3:delimiter": [ "/" ]
}
}
},
{
"Sid": "AllowAccessToUserFolder",
"Effect": "Allow",
"Action": [ "s3:GetObject" ],
"Resource": [ "arn:aws:s3:::mybucket/user" ],
"Condition": {
"StringLike": {
"s3:prefix": [ "${aws:username}/*" ],
"s3:delimiter": [ "/" ]
}
}
}
]
}