Can I create an IAM policy that allows only read access to specific S3 folders?

Yes, you can create an IAM policy that allows read-only access to specific folders in an Amazon S3 bucket.

Here's a beginner-friendly approach:

1. Create a custom IAM policy that grants read-only permissions to a specific folder in your S3 bucket.

The policy would look like this:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::your-bucket-name/folder-name/*"
]
}
]
}

This policy allows:

• s3:Get* - Permissions to retrieve objects (download files)
• s3:List* - Permissions to list objects (view files)
• The Resource element restricts these permissions to only the specified folder path

To implement this policy:

1. Sign in to the AWS Management Console and open the IAM console
2. Create a new policy by navigating to Policies and selecting "Create policy"
3. Choose the JSON tab and paste the policy above (replacing "your-bucket-name" and "folder-name" with your actual values)
4. Review and create the policy with a descriptive name
5. Attach this policy to the IAM user or role that needs the access

This approach is more secure than using the AWS managed policy AmazonS3ReadOnlyAccess, which would grant read access to all S3 buckets in your account.

Remember that in S3, "folders" are actually prefixes in the object key names, so the trailing /* in the resource path is important to include all objects within that prefix.
Sources
Use CreatePolicy with an AWS SDK or CLI - AWS Identity and Access Management
AWS managed policies for Amazon S3 - Amazon Simple Storage Service
Controlling access to a bucket with user policies - Amazon Simple Storage Service