AWS S3 policy to allow access to buckets ending with particular name

Question

Is it possible to write an AWS S3 policy such that

1. can read all objects in bucket which names ending in "archive" (the bucket name ending in archive, no constraint on object names)
2. can read-write all objects in buckets ending in "output"

Can that be done?

I can't find "conditions" that would allow me to do that...

Thanks

PS: 1) I just edited the question because there was ambiguity as whether it was the bucket or the object name ending in "..." 2) I have since gathered that I can't filter the names of the buckets that can be listed 3) The comment from bruno-reis makes it clear that it would be a bad idea anyway

Answer 1

No, this is not possible.

You are asking for a policy that applies to multiple buckets. Therefore, this would need to be an IAM Policy because a Bucket Policy only applies to a specific bucket.

While IAM policies allow wildcards, they are pretty limited in their capability. For example, this policy would appear to work, and does indeed grant access to a bucket ending with -output:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::*-output/*"
        }
    ]
}

So, this command will succeed:

aws s3 cp foo-output/bar.txt .

However, it also allows this command:

aws s3 cp foo/results-output/bar.txt .

This is because the wildcards in the policy do not differentiate between the part of the ARN that refers to the bucket name and the path/object name.

So, it is possible that they can access a bucket that does not end in -output. Thus, it is an unsafe policy.