在AWS S3 IAM策略中指定多个文件夹

时间:2018-04-20 13:49:11

标签: json amazon-web-services amazon-s3 amazon-iam

我想我的问题很简单。假设我有以下S3桶结构。

- root_folder_bucket
  - subfolder1
  - subfolder2
  - subfolder3
  - somefolder

仅限制访问的天真方法,例如subfolder1,subfolder2和subfolder3就像下面一样。实际上,AWS不会抛出错误,但这样的策略不起作用。是否有任何优雅的方式来编写像下面这样的资源策略,或者我应该坚持使用前缀,条件和分隔符?

"arn:aws:s3:::root_folder_bucket/[subfolder1, subfolder2]/*",

1 个答案:

答案 0 :(得分:3)

您可以将多个语句添加到下面显示的策略生命周期中,而不是在单个ARN中定义子文件夹(这将无效),

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::root_folder_bucket/subfolder2"]
    }
  ]
}

或者将多个ARN添加到资源块

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1",
                   "arn:aws:s3:::root_folder_bucket/subfolder2"]
    }
  ]
}