I am working on an IAM policy to restrict the access to S3 buckets with a specific prefix. S3 buckets in our account have an environment name as a prefix for example, dev-bucket1, dev-bucket2, dev-bucket3, test-bucket1, test-bucket2 and test-bucket3.
My EC2 instance in dev environment (dev and test environments are in a separate VPCs in the same account) should access only the dev buckets. I learned about s3:prefix condition but I don't have much clarity on this. By looking at the sample policies, I think s3:prefix works on only folders within the bucket. Can someone suggest a policy to access all the S3 buckets with a specific prefix?
Thanks
JR
It appears that your situation is:
dev-test-You can do this by specifying a wildcard when granting access to the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
]
"Resource": [
"arn:aws:s3:::dev-*",
"arn:aws:s3:::dev-*/*"
]
}
]
}
This policy should be granted to the IAM Role that is assigned to the Dev EC2 instances.