请参考以下策略,限制用户仅上传或列出特定文件夹中的对象。我已创建了一个策略,允许我仅列出folder1和folder2的对象,并且允许将对象放入folder1并拒绝上传到buckets的其他文件夹。
该策略执行以下操作:
1.列出bucket的所有文件夹
2.列出允许文件夹中的对象和文件夹
3.仅将文件上传到允许的文件夹
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowListingOfFolder1And2",
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::bucketname"
],
"Condition": {
"StringNotLike": {
"s3:prefix": [
"folder1/*",
"folder2/*"
]
},
"StringLike": {
"s3:prefix": "*"
}
}
},
{
"Sid": "Allowputobjecttofolder1only",
"Effect": "Deny",
"Action": "s3:PutObject",
"NotResource": "arn:aws:s3:::bucketname/folder1/*"
}
]
}