amazon-web-services - AWS S3 IAM 仅根据子文件夹的名称（而不是路径）从子文件夹下载的权限

问问题 2013-09-19T19:36:07.583

377 次

故事：“作为负责发放退款的用户，我希望能够从包含名称‘新销售文件’的任何 AWS s3 文件夹中下载”

这是我第一次需要在前缀开头使用通配符。这个前缀行应该是什么： "s3:prefix": " // New Sales File/*"

完整的政策如下。[DELETED 代表我删除的敏感信息——值与模式不匹配]

{
  "Statement": [
{
  "Action": [
    "s3:ListAllMyBuckets"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::*"
  ]
},
{
  "Action": [
    "s3:ListBucket"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ]
},
{
  "Action": [
    "s3:Get*"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ],
  "Condition" : {
    "StringLike": {
      "s3:prefix": "*/*/New Sales File/*"
    },
    "StringEquals": {
      "s3:delimeter": "/"
    }
  }
},
{
  "Action": [
    "s3:*"
  ],
  "Effect": "Deny",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ],
  "Condition": {
    "StringLike": {
      "s3:prefix": "*/*/DELETED/"
    },
    "StringEquals": {
      "s3:delimiter": "/"
    }
  }
},
{
  "Action": [
    "s3:*"
  ],
  "Effect": "Deny",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ],
  "Condition": {
    "NotIpAddress": {
      "aws:SourceIp": "DELETED"
    }
  }
}

] }

amazon-web-services - AWS S3 IAM 仅根据子文件夹的名称（而不是路径）从子文件夹下载的权限

0 回答 0

Related

Reference