I am creating S3 buckets in a program using 'standard-prefix-{variable}'. In trying to create an IAM policy so a user can update, create, delete buckets in an account, but only if the bucket name contains the 'standard-prefix'. IE, I don't want to allow modifying other buckets in the account. I'm finding many ways to limit access to resources within a bucket, given a specific bucket name, but no way of limiting access when the bucket names are changing.
Something like (which doesn't seem to be working):
"Resource": "arn:aws:s3:::standard-prefix-*"
Examples from AWS Docs:
Dynamic name based on username is the closest I've found. But I need a wildcard for the variable part of the bucket name:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-west-2:*:${aws:username}-queue"
}]
}
Items with in a specified bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}
Aucun commentaire:
Enregistrer un commentaire