AWS IAM-您可以在一个值中使用多个通配符(*) [英] AWS IAM - Can you use multiple wildcards (*) in a value

问题描述

在所有IAM策略示例中，他们都提到使用通配符( * )作为内容"的占位符.但是，示例始终在末尾使用它们，并且/或者仅使用一个通配符进行演示(例如，使用 .../xyz/* 列出文件夹"xyz"中的所有内容).

In all of the IAM Policy examples, they mention using wildcards (*) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/*).

对于使用多个通配符，我找不到任何明确的定义，例如，无法在多个存储桶的子文件夹中匹配任何内容:

I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets:

arn:aws:s3 ::: mynamespace-property */logs/*

允许某人查看生产"( mynamespace-property-prod )和沙盒"( mynamespace-property-sand)中的任何 log 文件)存储桶.

to allow something to see any log files across a "production" (mynamespace-property-prod) and "sandbox" (mynamespace-property-sand) bucket.

推荐答案

不确定，但是突然之间"(您知道我在说什么)正在使用

Not sure, but "all of a sudden" (you know what I'm talking about) it's working in the policy simulator with:

• 策略1:允许在任何存储分区上都具有特定的S3权限" (例如，编辑角色)
• 策略2:除非在存储桶中的用户文件夹中，否则所有S3操作都将被拒绝" (即只能看到其文件)

政策2"在哪里:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExplicitlyDenyAnythingExceptOwnNamedFolder",
            "Action": [
                "s3:*"
            ],
            "Effect": "Deny",
            "NotResource": [
                "arn:aws:s3:::mynamespace-property*/subfolder/${aws:username}/*"
            ]
        }
    ]
}

---

请注意， arn:aws:s3 ::: mynamespace-property */$ {aws:username}/* (无明确的子文件夹)将匹配有无子文件夹":

---

As a sidenote, be aware that arn:aws:s3:::mynamespace-property*/${aws:username}/* (no explicit subfolder) will match both with and without "intervening" subfolders:

• arn:aws:s3 ::: mynamespace-property-suffix/subfolder/theuser/files ..."
• arn:aws:s3 ::: mynamespace-property-suffix/theuser/files ..."

这篇关于AWS IAM-您可以在一个值中使用多个通配符(*)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！