In all of the IAM Policy examples, they mention using wildcards (*
) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/*
).
I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets:
arn:aws:s3:::mynamespace-property*/logs/*
to allow something to see any log
files across a "production" (mynamespace-property-prod
) and "sandbox" (mynamespace-property-sand
) bucket.
Not sure, but "all of a sudden" (you know what I'm talking about) it's working in the policy simulator with:
Where 'Policy 2' is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExplicitlyDenyAnythingExceptOwnNamedFolder",
"Action": [
"s3:*"
],
"Effect": "Deny",
"NotResource": [
"arn:aws:s3:::mynamespace-property*/subfolder/${aws:username}/*"
]
}
]
}
As a sidenote, be aware that arn:aws:s3:::mynamespace-property*/${aws:username}/*
(no explicit subfolder) will match both with and without "intervening" subfolders:
arn:aws:s3:::mynamespace-property-suffix/subfolder/theuser/files..."
arn:aws:s3:::mynamespace-property-suffix/theuser/files..."