43

In all of the IAM Policy examples, they mention using wildcards (*) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/*).

I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets:

arn:aws:s3:::mynamespace-property*/logs/*

to allow something to see any log files across a "production" (mynamespace-property-prod) and "sandbox" (mynamespace-property-sand) bucket.

drzaus
  • 24,171
  • 16
  • 142
  • 201
  • 1
    I can confirm that an IAM policy resource in the form of `arn:aws:cloudformation:*:123456789012:stack/Foo/*` works. This contains multiple wildcards, one of which is not at the end of the ARN. – gene_wood Dec 02 '15 at 01:31

4 Answers4

34

Not sure, but "all of a sudden" (you know what I'm talking about) it's working in the policy simulator with:

  • Policy 1: "allow specific S3 permissions on any bucket" (e.g. an editor role)
  • Policy 2: "deny all S3 actions unless in a user's folder across buckets" (i.e. can only see their files)

Where 'Policy 2' is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExplicitlyDenyAnythingExceptOwnNamedFolder",
            "Action": [
                "s3:*"
            ],
            "Effect": "Deny",
            "NotResource": [
                "arn:aws:s3:::mynamespace-property*/subfolder/${aws:username}/*"
            ]
        }
    ]
}

As a sidenote, be aware that arn:aws:s3:::mynamespace-property*/${aws:username}/* (no explicit subfolder) will match both with and without "intervening" subfolders:

  • arn:aws:s3:::mynamespace-property-suffix/subfolder/theuser/files..."
  • arn:aws:s3:::mynamespace-property-suffix/theuser/files..."
drzaus
  • 24,171
  • 16
  • 142
  • 201
18

Yes, It will work

From the documentation:

You can use wildcards as part of the resource ARN. You can use wildcard characters (* and ?) within ARN segments (the parts separated by colons) to represent any combination of characters with an askterisk (*) and any single character with a question mark (?). You can use multiple * or ? characters in each segment.

For those questioning the meaning of the single *. Do not interpret that as spanning multiple segments but rather that is has special meaning of ALL RESOURCES.

Worth noting you you cannot use a wildcard to match part of a principal name or ARN (if you are working with a resource based policy).

Brent
  • 1,324
  • 1
  • 15
  • 22
  • 4
    It's interesting the documentation specifies `...a wildcard cannot span segments.` - wouldn't the generic `Resource: "*"` (which, from what I understand, is valid) not be consistent with this statement? – WXMan Jun 05 '19 at 12:20
  • 1
    @WXMan you bring up a good point. Personally, I interpret the `Resource: "*"` as an alternative to specifying an ARN, so the ARN wildcard documentation doesn't apply. – vastlysuperiorman Jul 23 '19 at 19:56
  • 1
    Strangely, the policy simulator seems to disagree with the documentation. Wildcards DO span segments (they really act like a `.*` regex). This could lead to serious security issues when overlooked. – Maxime Rossini Feb 19 '20 at 16:13
  • 2
    I think we all misread the documentation, because it states that ARN segments are "the parts separated by COLONS" (as in: wildcards don't span over multiple ARN definitions in the list), not slashes. So there's really no reason `*` would not match any resource. – Maxime Rossini Feb 19 '20 at 17:38
4

The ARN Format is composed by segments (like partition, service, regions, ...):

arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id

the say:

You can use multiple * or ? characters in each segment, but a wildcard cannot span segments.

I interpret that like you can use many wildcards, but the ones you use in a segment (delimited by :) doesn't affect the other segments. So the answer is yes.

yucer
  • 4,431
  • 3
  • 34
  • 42
0

Yes you can use multiple wildecards anywhere wildecard is supported:

Pavel.Solovyenko
  • 66
  • 2
  • 4