This will show Bob has access to the widgets.backups bucket, because technically, there could be an object named widtgets.backup/foo.data/bar. Although what I do is technically correct, for my current use case at least, it is giving me results I don't want.
Never mind, I realized that since I want to know if an arbitrary file could be accessed, I could specify an arbitrary file of arn:aws:s3:::widtgets.backups/test instead of arn:aws:s3:::widtgets.backups/*.
If you have a company with S3 buckets:
widgets.alpha.data
widgets.bravo.data
widgets.backups
And then you have an IAM user Bob with S3 access to
arn:aws:s3:::widgets.*.data/*
and then you run:This will show Bob has access to the
widgets.backups
bucket, because technically, there could be an object namedwidtgets.backup/foo.data/bar
. Although what I do is technically correct, for my current use case at least, it is giving me results I don't want.