Using NotResource field to exclude directories from S3 bucket policies


Context

When designing an S3 bucket policy that is applicable to a subset of the directories, we need to either list the directories that it applies to, or the directories that don’t. When the list of directories that should no be covered by the bucket policy is small, it is better to use the NotResource policy element.

Implementation

To use as an example, let’s create a policy allowing public access to all directories in <bucket-name> S3 bucket, except for <bucket-dir> directory:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "NotResource": [
        "arn:aws:s3:::<bucket-name>/<bucket-dir>",
        "arn:aws:s3:::<bucket-name>/<bucket-dir>/*"
      ]
    }
  ]
}

Notes

  • Be careful when using "Effect": "Allow", "Action": "*" and NotResource field in IAM policies (policies that are applied to users) since it would grant full access to all other resources in the AWS account.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.