AWS S3 IAM仅根据子文件夹的名称(不是路径)从子文件夹下载的权限

时间:2013-09-19 19:36:08

标签: amazon-web-services amazon-s3 amazon-iam

故事:“作为负责发放退款的用户,我希望能够从任何包含名称'新销售档案'的AWS s3文件夹下载”

这是我第一次需要在前缀的开头做一个通配符。这个前缀行应该是什么:“s3:prefix”:“ / / New Sales File / *”

完整政策如下。 [DELETED表示我删除的敏感信息 - 值与模式不匹配] 

{
  "Statement": [
{
  "Action": [
    "s3:ListAllMyBuckets"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::*"
  ]
},
{
  "Action": [
    "s3:ListBucket"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ]
},
{
  "Action": [
    "s3:Get*"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ],
  "Condition" : {
    "StringLike": {
      "s3:prefix": "*/*/New Sales File/*"
    },
    "StringEquals": {
      "s3:delimeter": "/"
    }
  }
},
{
  "Action": [
    "s3:*"
  ],
  "Effect": "Deny",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ],
  "Condition": {
    "StringLike": {
      "s3:prefix": "*/*/DELETED/"
    },
    "StringEquals": {
      "s3:delimiter": "/"
    }
  }
},
{
  "Action": [
    "s3:*"
  ],
  "Effect": "Deny",
  "Resource": [
    "arn:aws:s3:::DELETED"
  ],
  "Condition": {
    "NotIpAddress": {
      "aws:SourceIp": "DELETED"
    }
  }
}

] }

0 个答案:

没有答案
相关问题
最新问题