IAM策略,仅允许从S3存储桶的特定文件夹中删除

时间:2020-11-05 17:29:48

标签: amazon-web-services amazon-s3 amazon-iam aws-policies

我有一个水桶:s3://mybucket

我只想删除s3://mybucket/test下的对象

我尝试了以下策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1604573937792",
            "Action": [
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket/",
                "arn:aws:s3:::mybucket/*"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "test/*"
                }
            }
        }
    ]
}

但是,尝试删除对象arn:aws:s3:::mybucket/test/x.txt的IAM策略模拟器无法显示“隐式拒绝(没有匹配的语句)”。我应该改变什么?

1 个答案:

答案 0 :(得分:0)

如果您查看Actions, resources, and condition keys for Amazon S3 - AWS Identity and Access Management,则会发现DeleteObject不接受Prefix

您可以使用:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::mybucket/text/*"
        }
    ]
}