AWS S3存储桶策略-仅允许文件夹中的某些文件类型

时间:2019-05-25 11:45:40

标签: amazon-web-services amazon-s3 amazon-iam aws-access-policy

我的存储桶中有一个特定的文件夹,我想限制为仅某些文件类型。我目前有以下内容:

{
    "Version": "2012-10-17",
    "Id": "Policy1464968545158",
    "Statement": [
        {
            "Sid": "Stmt1464968483619",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder/*"
            ]
            "Condition": {
                "StringNotEquals": {
                  "s3:prefix": ".txt",
                  "s3:prefix": ".doc"
                }
            },
        }
    ]
}

我需要替换s3:prefix的内容,这样系统不必查看文件和路径的开头,而是查看结尾。我尝试了s3:suffix,但这不是有效的属性。

是否存在一个S3属性,该属性在文件名的末尾进行通配符搜索,因此我只能将文件夹的某些文件类型列入白名单?

2 个答案:

答案 0 :(得分:2)

您应该可以使用通配符在Resource中进行定义。如果要将文件夹仅限制为Effect: Allow.txt,请使用.doc

{
    "Version": "2012-10-17",
    "Id": "Policy1464968545158",
    "Statement": [
        {
            "Sid": "Stmt1464968483619",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder/*.doc",
                "arn:aws:s3:::my-bucket/my-folder/*.txt"
            ]
        }
    ]
}

答案 1 :(得分:1)

与使用拒绝效果相同的方法,可以使用允许效果。这两个示例如下:

仅允许特定的对象,并在需要时拒绝特定的对象。...

{
  "Version": "2012-10-17",
  "Id": "Policy1464968545158",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Allow",
      "Principal": {
        "AWS": "IAM-USER-ARN"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::bucket-name/*.doc",
        "arn:aws:s3:::bucket-name/*.txt"
      ]
    },
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "NotResource": [
        "arn:aws:s3:::bucket-name/*.png",
        "arn:aws:s3:::bucket-name/*.gif"
      ]
    }
  ]
}