S3 Bucket action doesn't apply to any resources

前端 未结 11 671
无人及你
无人及你 2021-01-30 09:55

I\'m following the instructions from this answer to generate the follow S3 bucket policy:

{
  \"Id\": \"Policy1495981680273\",
  \"Version\": \"2012-10-17\",
  \         


        
相关标签:
11条回答
  • 2021-01-30 10:19

    Whenever you are trying to apply use bucket policies. Remember this thing, If you are using actions like "s3:ListBucket", "s3:GetBucketPolicy", "s3:GetBucketAcl" etc. which are related to bucket, the resource attribute in policy should be mentioned as <"Resource": "arn:aws:s3:::bucket_name">.

    Ex.

    {
        "Version": "2012-10-17",
        "Id": "Policy1608224885249",
        "Statement": [
            {
                "Sid": "Stmt1608226298927",
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:GetBucketPolicy",
                    "s3:GetBucketAcl",
                    "s3:ListBucket"
                ],
                "Resource": "arn:aws:s3:::bucket_name"
            }
        ]
    }
    

    If you are using actions like "s3:GetObject", "s3:DeleteObject", "s3:GetObject" etc. which are related to object, the resource attribute in policy should be mentioned as <"Resource": "arn:aws:s3:::bucket_name/*">.

    ex.

    {
      "Id": "Policy1608228066771",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Stmt1608228057071",
          "Action": [
            "s3:DeleteObject",
            "s3:GetObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::bucket_name/*",
          "Principal": "*"
        }
      ]
    }
    

    Finally if you are using actions like "s3:ListBucket", "s3:GetObject" etc. these actions are related to both bucket and object then the resource attribute in policy should be mentioned as <"Resource": ["arn:aws:s3:::bucket_name/*", "Resource": "arn:aws:s3:::bucket_name">.

    ex.

    {
        "Version": "2012-10-17",
        "Id": "Policy1608224885249",
        "Statement": [
            {
                "Sid": "Stmt1608226298927",
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket_name",
                    "arn:aws:s3:::bucket_name/*"
                ]
            }
        ] }
    
    0 讨论(0)
  • 2021-01-30 10:20

    From IAM docs, http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Action

    Some services do not let you specify actions for individual resources; instead, any actions that you list in the Action or NotAction element apply to all resources in that service. In these cases, you use the wildcard * in the Resource element.

    With this information, resource should have a value like below:

    "Resource": "arn:aws:s3:::surplace-audio/*"
    
    0 讨论(0)
  • 2021-01-30 10:20

    You can also configure ListBuckets for each folder, like so

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowSESPuts-1521238702575",
                "Effect": "Allow",
                "Principal": {
                    "Service": "ses.amazonaws.com"
                },
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::buckets.email/*",
                "Condition": {
                    "StringEquals": {
                        "aws:Referer": "[red]"
                    }
                }
            },
            {
                "Sid": "Stmt1586754972129",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::596322993031:user/[red]"
                },
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::buckets.email",
                "Condition": {
                    "StringEquals": {
                        "s3:delimiter": "/",
                        "s3:prefix": [
                            "",
                            "domain.co",
                            "domain.co/user"
                        ]
                    }
                }
            },
            {
                "Sid": "Stmt1586754972129",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::596322993031:user/[red]"
                },
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::buckets.email",
                "Condition": {
                    "StringLike": {
                        "s3:prefix": "domain.co/user/*"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::596322993031:user/[red]"
                },
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject"
                ],
                "Resource": "arn:aws:s3:::buckets.email/domain.co/user/*"
            }
        ]
    }
    

    These rules are used together with SES to receive an email, but allows an external user to view the files that were put in the bucket by SES. I followed the instructions from here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

    Also, you must specify prefix as domain.co/user/ WITH slash at the end when using the SDK, otherwise you'll get access denied. hope it helps anyone

    0 讨论(0)
  • 2021-01-30 10:22

    In my case the solution to this error was trying to remove some of Actions that I was applying. Some of them are not relevant to, or cannot work with this resource. In this case it wouldn't let me include these:

    GetBucketAcl ListBucket ListBucketMultipartUploads

    0 讨论(0)
  • 2021-01-30 10:24

    Error Action does not apply to any resource(s) in statement

    Simply it means that the action (you wrote in policy) doesn't apply to the resource. I was trying to make public my bucket so that anybody can download from my bucket. I was getting error until I remove ( "s3:ListBucket") from my statement.

    {
      "Id": "Policyxxxx961",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Stmtxxxxx4365",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket",
            "s3:PutObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::bucket-name/*",
          "Principal": "*"
        }
      ]
    }
    

    Because list bucket doesn't apply inside the bucket, thus by deleting this action policy worked fine.

    0 讨论(0)
  • 2021-01-30 10:26

    I have also faced the similar issue while creating the bucket

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AddPerm",
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::mrt9949"
                ]
            }
        ]
    }
    

    I have changed the above code to

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AddPerm",
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::mrt9949/*"
                ]
            }
        ]
    }
    

    add /* to your bucket name it will solve the issue

    Here my bucket name is mrt9949

    0 讨论(0)
提交回复
热议问题