我正在设置IAM用户,使其只能访问要下载的特定存储桶文件夹对象,并仅限于其他存储桶和子文件夹
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllowListBucketIfSpecificPrefixIsIncludedInRequest",
"Action":["s3:ListBucket"],
"Effect":"Allow",
"Resource":["arn:aws:s3:::mybucket"],
"Condition":{
"StringLike":{"s3:prefix":["downloads/*"]
}
}
},
{
"Sid":"AllowUserToReadWriteObjectDataInDownloadsFolder",
"Action":["s3:GetObject"],
"Effect":"Allow",
"Resource":["arn:aws:s3:::mybucket/downloads/*"]
}
]
}