How do I grant access to all subfolders of a folder in Amazon S3?

Question

Here is the policy I wrote in Amazon S3. I thought it should give access to subfolders because of the * but it is giving access denied errors when the user tries to create or view subfolders. How can I change this to work?

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowUserToSeeBucketListInTheConsole",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Sid": "AllowRootAndMediaListingOfCompanyBucket",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::mycoolbucket"
        ],
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    "",
                    "media/"
                ],
                "s3:delimiter": [
                    "/"
                ]
            }
        }
    },
    {
        "Sid": "AllowAllS3ActionsInMediaFolder",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::mycoolbucket/media/*"
        ]
    }
]

}

More details:

I logged into the console as the user. I went to the media folder. I then click on a folder inside of media and got the message "Error access denied".

Answer 1

You are missing permissions to list the contents of the media folder. Add the following statement to your policy.

Note: Your policy should be added to the user(s) and not to the bucket itself. A better choice is to create an IAM group, attach the policy to the group and then add each user to the group (which you mentioned that you are doing).

{
  "Sid": "AllowListingOfMediaFolder",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::mycoolbucket"],
  "Condition":{"StringLike":{"s3:prefix":["media/*"]}}
},

Answer 2

With this policy, I'm able to grant access to all subfolders of a folder in Amazon S3

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<<bucketname>>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "foldername/*"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*",
                "s3:ListBucket",
                "s3:DeleteObject*"
            ],
            "Resource": "arn:aws:s3:::<<bucketname>>/foldername/*"
        }
    ]
}