I have created STS AssumeRole session token with adding policy document as List only to specific folders, but how we can hide on showing remaining folders which doesn’t have access?
Example:
Let consider I have AWS s3 object paths s3://<bucketName>/folder1/{files…}
& s3://<bucketName>/folder2/{files…}
I generated STS token having Action (i.e., S3:List*
) and filter Condition policy ( i.e. "StringEquals" : “folder1/*”
)
In my application using AWS SDK (Javascript) with above generated STS session token. If I try to List objects under Key (s3:///), response returning both folder1/
& folder2/
.
How can I hide folder2/
based on current STS session policy?
(Note: Eventhough we have restrict List access to deep dive into folder2/
. I don't my SDK to show folder2/
in frontend.
s3:List
is a bucket-level operation, so it will list all the contents as long as the permissions allow it.You can deny access to
folder2/
by adding a condition like you said. However, that folder will still be visible if ListBucket is called in the above directory.