Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

I have an AWS IAM policy in Terraform that is written like such:

            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": "arn:aws:s3:::bucket-name",
                "Condition": {
                    "StringLike": {
                        "s3:prefix": "${local.account_id}/*"
                    }
                }
            }

However, I'm trying to understand why s3:prefix is used at all. Can't this be done with:

            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": "arn:aws:s3:::bucket-name/${local.account_id}/*",
            }
question from:https://stackoverflow.com/questions/66054830/aws-iam-s3prefix

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
391 views
Welcome To Ask or Share your Answers For Others

1 Answer

s3:ListBucket only applies to the Resource of bucket. In your second example, your Resource are objects, and the s3:ListBucket will not apply. So your policy will have no effect.

In contrast, in the frist example the Resource is actual bucket, not objects. s3:ListBucket will work. Additionally, due to the Condition, s3:ListBucket will only allow listing content of folder ${local.account_id} in the bucket.

Other such scenarios are discussed here.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
...