我的存储桶中有一个特定的文件夹,我想限制为仅某些文件类型。我目前有以下内容:
{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
{
"Sid": "Stmt1464968483619",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder/*"
]
"Condition": {
"StringNotEquals": {
"s3:prefix": ".txt",
"s3:prefix": ".doc"
}
},
}
]
}
我需要替换s3:prefix
的内容,这样系统不必查看文件和路径的开头,而是查看结尾。我尝试了s3:suffix
,但这不是有效的属性。
是否存在一个S3属性,该属性在文件名的末尾进行通配符搜索,因此我只能将文件夹的某些文件类型列入白名单?
答案 0 :(得分:2)
您应该可以使用通配符在Resource
中进行定义。如果要将文件夹仅限制为Effect: Allow
和.txt
,请使用.doc
。
{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
{
"Sid": "Stmt1464968483619",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder/*.doc",
"arn:aws:s3:::my-bucket/my-folder/*.txt"
]
}
]
}
答案 1 :(得分:1)
与使用拒绝效果相同的方法,可以使用允许效果。这两个示例如下:
仅允许特定的对象,并在需要时拒绝特定的对象。...
{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
{
"Sid": "Stmt1464968483619",
"Effect": "Allow",
"Principal": {
"AWS": "IAM-USER-ARN"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::bucket-name/*.doc",
"arn:aws:s3:::bucket-name/*.txt"
]
},
{
"Sid": "Stmt1464968483619",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"NotResource": [
"arn:aws:s3:::bucket-name/*.png",
"arn:aws:s3:::bucket-name/*.gif"
]
}
]
}