Bucket policy to only allow filetype but allow creation of folders

Question

I am trying to create an S3 bucket policy that allows only .docx filetype (easy to do) but that also allows me to create folders.

At the moment each time I want to create a folder, I have to temporarily delete the bucket policy, create the folder, then reinstate the policy.

Here is my current policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowOnlyDocFiles",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:putObject",
        "NotResource": "arn:aws:s3:::input-bucket/*.docx"
    }
]
}

Would be great if you could provide the final policy with the additional Sid.

Answer 1

As @john-rotenstein answer explains that you don't need to actually create folders.

However, if you want the ability to use the create folder feature in the console that creates the empty the prefix you just add to your not resource line the folder patter '*/'

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowOnlyDocFiles",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:putObject",
            "NotResource": [
                "arn:aws:s3:::input-bucket/*.docx",
                "arn:aws:s3:::input-bucket/*/"
            ]
        }
    ]
}

Answer 2

Amazon S3 does not actually use folders. Instead, the filename (Key) of each object contains the full path of the object.

For example, this command copies a file to Amazon S3 using the AWS Command-Line Interface (CLI):

aws s3 cp foo.docx s3://my-bucket/invoices/foo.docx

This command will work successfully even if the invoices folder does not exist. The Amazon S3 interface will make the invoices folder "appear" automatically. However, it is merely displaying a "common prefix" used in the object keys.

Let's say that the object was then deleted:

aws s3 rm s3://my-bucket/invoices/foo.docx

This not only deletes the object, but it also makes the folder disappear!. This is because the folder never actually existed.

Therefore, you should not be concerned about making folders and deleting folders. Simply pretend that they exist and everything will work fine.

But, you ask, what about the Create Folder button in the management console? Who does it work? Well, it actually creates an object of zero size with the same name as the 'folder'. This causes the folder to "appear" in the user interface (because there is an object with that prefix) but it has no impact on creating the folder because the folder does not exist.

So, a policy that "allows creation of a folder" would actually need to allow creation of an object with no prefix, but I recommend you don't even worry about it, since folder creation is not necessary.