It would be like this /user/*/files/public/* in your bucket policy, for private you don't need since by default all objects are indeed private. Since the key regex is a flat key match should work properly for all users.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::testbucket/user/*/files/public/*"
],
"Sid": ""
}
]
}aws s3api --no-verify-ssl put-bucket-policy --bucket testbucket --policy file:///tmp/policy.json
There are two types of key matches are allowed in bucket policies one is * and another is ?
Now if you have this in your Resource
arn:aws:s3:::testbucket/user/*/files/public/*
then the policies will match
arn:aws:s3:::testbucket/user/harsha/files/public/issue
Here the user is harsha
Now if you have this in your Resource
arn:aws:s3:::testbucket/user/?/files/public/*
then the policies will match
arn:aws:s3:::testbucket/user/1/files/public/issue
Here the user is 1 You can even repeat ? to restrict the character length of the users as well. Lets say if you have 6 repeated ?
arn:aws:s3:::testbucket/user/??????/files/public/*
then the policies will match
arn:aws:s3:::testbucket/user/harsha/files/public/issue