AWS IAM - Can you use multiple wildcards (*) in a value

我的梦境 提交于 2021-02-06 07:31:42

问题


In all of the IAM Policy examples, they mention using wildcards (*) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/*).

I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets:

arn:aws:s3:::mynamespace-property*/logs/*

to allow something to see any log files across a "production" (mynamespace-property-prod) and "sandbox" (mynamespace-property-sand) bucket.


回答1:


Not sure, but "all of a sudden" (you know what I'm talking about) it's working in the policy simulator with:

  • Policy 1: "allow specific S3 permissions on any bucket" (e.g. an editor role)
  • Policy 2: "deny all S3 actions unless in a user's folder across buckets" (i.e. can only see their files)

Where 'Policy 2' is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExplicitlyDenyAnythingExceptOwnNamedFolder",
            "Action": [
                "s3:*"
            ],
            "Effect": "Deny",
            "NotResource": [
                "arn:aws:s3:::mynamespace-property*/subfolder/${aws:username}/*"
            ]
        }
    ]
}

As a sidenote, be aware that arn:aws:s3:::mynamespace-property*/${aws:username}/* (no explicit subfolder) will match both with and without "intervening" subfolders:

  • arn:aws:s3:::mynamespace-property-suffix/subfolder/theuser/files..."
  • arn:aws:s3:::mynamespace-property-suffix/theuser/files..."



回答2:


Yes, It will work

From the documentation:

You can use wildcards as part of the resource ARN. You can use wildcard characters (* and ?) within any ARN segment (the parts separated by colons). An asterisk (*) represents any combination of characters and a question mark (?) represents any single character. You can have use multiple * or ? characters in each segment, but a wildcard cannot span segments.

I am going to say the "You can have use multiple " is a typo in the doc and they mean "you can use".



来源:https://stackoverflow.com/questions/22561731/aws-iam-can-you-use-multiple-wildcards-in-a-value

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!