我想我的问题很简单。假设我有以下S3桶结构。
- root_folder_bucket
- subfolder1
- subfolder2
- subfolder3
- somefolder
仅限制访问的天真方法,例如subfolder1,subfolder2和subfolder3就像下面一样。实际上,AWS不会抛出错误,但这样的策略不起作用。是否有任何优雅的方式来编写像下面这样的资源策略,或者我应该坚持使用前缀,条件和分隔符?
"arn:aws:s3:::root_folder_bucket/[subfolder1, subfolder2]/*",
答案 0 :(得分:3)
您可以将多个语句添加到下面显示的策略生命周期中,而不是在单个ARN中定义子文件夹(这将无效),
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder2"]
}
]
}
或者将多个ARN添加到资源块
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1",
"arn:aws:s3:::root_folder_bucket/subfolder2"]
}
]
}