amazon-web-services - 简化多个 AWS S3 策略

Question

有没有办法以某种方式将下面给出的 2 个 AWS IAM 策略语句简化为一个？

我想允许存储桶上的 ListBucket、GetBucketLocation、GetBucketPolicy、GetBucketACL 操作，以及位于存储桶内的主文件夹和子文件夹 1、2、3？

我有两个语句 - 一个允许对存储桶进行操作，另一个允许对主文件夹和子文件夹进行操作。由于两个语句中的 actions、Effect 和 Resource 是相同的，是否可以以某种方式编写单个语句？

谢谢，

约翰

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": "arn:aws:s3:::bucket"
    },
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToListFilesInAllFolders",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": "arn:aws:s3:::bucket",
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    "mainfolder",
                    "mainfolder/subfolder1",
                    "mainfolder/subfolder2",
                    "mainfolder/subfolder3"
                ],
                "s3:delimiter": "/"
            }
        }
    }
]

Answer 1

You can use a list of resources to combine these in to a single statement, like this

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": ["arn:aws:s3:::bucket",
                    "arn:aws:s3:::bucket/mainfolder",
                    "arn:aws:s3:::bucket/mainfolder/subfolder1",
                    "arn:aws:s3:::bucket/mainfolder/subfolder2",
                    "arn:aws:s3:::bucket/mainfolder/subfolder3"
        ]
    }
]