AWS IAM策略中的可变资源名称 [英] Variable resource name in AWS IAM policy

问题描述

我正在使用'standard-prefix-{variable}'在程序中创建S3存储桶.尝试创建IAM策略时，用户可以更新，创建，删除帐户中的存储桶，但前提是存储桶名称包含"standard-prefix". IE，我不想允许修改帐户中的其他存储桶.在给定特定的存储桶名称的情况下，我发现了很多方法来限制对存储桶中资源的访问，但是在更改存储桶名称时，没有任何方法可以限制访问.

I am creating S3 buckets in a program using 'standard-prefix-{variable}'. In trying to create an IAM policy so a user can update, create, delete buckets in an account, but only if the bucket name contains the 'standard-prefix'. IE, I don't want to allow modifying other buckets in the account. I'm finding many ways to limit access to resources within a bucket, given a specific bucket name, but no way of limiting access when the bucket names are changing.

类似的东西(似乎不起作用):

Something like (which doesn't seem to be working):

"Resource": "arn:aws:s3:::standard-prefix-*"

AWS文档中的示例:

基于用户名的动态名称是我找到的最接近的名称.但是对于存储区名称的可变部分，我需要使用通配符:

Dynamic name based on username is the closest I've found. But I need a wildcard for the variable part of the bucket name:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sqs:*",
    "Resource": "arn:aws:sqs:us-west-2:*:${aws:username}-queue"
  }]
}  

具有指定存储桶名称的项目:

Items with in a specified bucket name:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket"],
      "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
    }
  ]
}

推荐答案

这是最终生效的策略.创建存储区时，它们会获得诸如standard_prefix-20150101，standard_prefix-20150515等的名称.具有此IAM策略的用户可以在这些存储区上执行任何操作，但不能修改帐户中的其他存储区.

This is the policy that ended up working. When creating the buckets, they get a name such as standard_prefix-20150101, standard_prefix-20150515, etc. Users with this IAM policy can then do whatever on those buckets, but not modify other buckets in the account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "One",
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": [
                "arn:aws:s3:::standard_prefix-*"
            ]
        },
                {
            "Sid": "Two",
            "Effect": "Allow",
            "Action": [
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

这篇关于AWS IAM策略中的可变资源名称的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！