Cloudformation - Check if S3 folder exists and apply policy to the specific folder

Question

Hello:
I am writing a cloudformation template to create an S3 bucket. This S3 bucket can have multiple folders created programmatically.  So I want to apply a bucket policy that checks if a specific folder exists and allow only specific file types. 
For ex, if there is an S3 bucket called 'my-test-s3' with nested folders /folder1/folder2/pdf, I want to check if the folder 'pdf' exists. If it does, only allow for file types of *.pdf in this folder. How do I write the bucket policy for this using cloudformation template? I tried this below. However, this prevents creation of any folders inside my 'S3Bucket'.  I am looking for some guidance on this.

Sid: Stmt1631632005699
            Effect: Deny
            Principal: 
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root/'
            Action:
               - 's3:PutObject'
            NotResource:
               - !Sub arn:aws:s3:::${S3Bucket}/*/*/pdf/*.pdf

Accepted Answer

Something like this:

```
{
  "Id": "Policy1649706507409",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1649706435908",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket/*.pdf",
      "Condition": {
        "StringLike": {
          "s3:prefix": "pdf/"
        }
      },
      "Principal": "*"
    },
    {
      "Sid": "Stmt1649706506153",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "NotResource": "arn:aws:s3:::mybucket/*.pdf",
      "Condition": {
        "StringLike": {
          "s3:prefix": "pdf/"
        }
      },
      "Principal": "*"
    }
  ]
}
```

Cloudformation - Check if S3 folder exists and apply policy to the specific folder

Relevanter Inhalt