I've done it!
I was trying all kinds of long-winded over-thought methods to try and accomplish this including the little known "not resource" when all I needed to do was take the default "allow all" policy and apply it to my specified sub-folders!
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKETNAME/*/128/*"
}
]
}
Note: Edited the resource name.