Preventing users from running `mkdir` in an S3 bucket

You can limit users' ability to create a directory in an Amazon S3 bucket. To do so, you create an IAM policy that allows the s3:PutObject action but also denies it when the key ends with a "/" (forward slash). The following example policy allows users to upload files to an Amazon S3 bucket but denies the mkdir command in the Amazon S3 bucket.


{
   "Sid":"DenyMkdir",
   "Action":[
      "s3:PutObject"
   ],
   "Effect":"Deny",
   "Resource":[
      "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/",
      "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/*"
    ]
}

Note

The second resource line makes it impossible for users to create sub-folders by running a command such as put my-file DOC-EXAMPLE-BUCKET/new-folder/my-file.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating a session policy

CloudTrail logging

Preventing users from running mkdir in an S3 bucket

Note

Preventing users from running `mkdir` in an S3 bucket