我想我的问题很简单。假设我有以下 S3 存储桶结构。
- root_folder_bucket
- subfolder1
- subfolder2
- subfolder3
- somefolder
仅限制访问的天真方法(例如子文件夹 1、子文件夹 2 和子文件夹 3(就像波纹管一样。事实上,AWS不会抛出错误,但这样的策略是行不通的。有没有优雅的方法可以编写资源策略,比如下面,或者我应该坚持前缀、条件和分隔符?
"arn:aws:s3:::root_folder_bucket/[subfolder1, subfolder2]/*",
您可以在如下所示
的策略生命周期中添加多个语句,而不是在单个 ARN 中定义子文件夹(这不起作用(,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder2"]
}
]
}
或者将多个 ARN 添加到资源块,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::root_folder_bucket/subfolder1",
"arn:aws:s3:::root_folder_bucket/subfolder2"]
}
]
}