S3 Bucket action doesn't apply to any resources
I\'m following the instructions from this answer to generate the follow S3 bucket policy:
{
\"Id\": \"Policy1495981680273\",
\"Version\": \"2012-10-17\",
\
-
Whenever you are trying to apply use bucket policies. Remember this thing, If you are using actions like "s3:ListBucket", "s3:GetBucketPolicy", "s3:GetBucketAcl" etc. which are related to bucket, the resource attribute in policy should be mentioned as <"Resource": "arn:aws:s3:::bucket_name">.
Ex.
{ "Version": "2012-10-17", "Id": "Policy1608224885249", "Statement": [ { "Sid": "Stmt1608226298927", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetBucketPolicy", "s3:GetBucketAcl", "s3:ListBucket" ], "Resource": "arn:aws:s3:::bucket_name" } ] }If you are using actions like "s3:GetObject", "s3:DeleteObject", "s3:GetObject" etc. which are related to object, the resource attribute in policy should be mentioned as <"Resource": "arn:aws:s3:::bucket_name/*">.
ex.
{ "Id": "Policy1608228066771", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1608228057071", "Action": [ "s3:DeleteObject", "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::bucket_name/*", "Principal": "*" } ] }Finally if you are using actions like "s3:ListBucket", "s3:GetObject" etc. these actions are related to both bucket and object then the resource attribute in policy should be mentioned as <"Resource": ["arn:aws:s3:::bucket_name/*", "Resource": "arn:aws:s3:::bucket_name">.
ex.
{ "Version": "2012-10-17", "Id": "Policy1608224885249", "Statement": [ { "Sid": "Stmt1608226298927", "Effect": "Allow", "Principal": "*", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*" ] } ] }讨论(0) -
From IAM docs, http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Action
Some services do not let you specify actions for individual resources; instead, any actions that you list in the Action or NotAction element apply to all resources in that service. In these cases, you use the wildcard * in the Resource element.
With this information, resource should have a value like below:
"Resource": "arn:aws:s3:::surplace-audio/*"讨论(0) -
You can also configure ListBuckets for each folder, like so
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSESPuts-1521238702575", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::buckets.email/*", "Condition": { "StringEquals": { "aws:Referer": "[red]" } } }, { "Sid": "Stmt1586754972129", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::596322993031:user/[red]" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::buckets.email", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "domain.co", "domain.co/user" ] } } }, { "Sid": "Stmt1586754972129", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::596322993031:user/[red]" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::buckets.email", "Condition": { "StringLike": { "s3:prefix": "domain.co/user/*" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::596322993031:user/[red]" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::buckets.email/domain.co/user/*" } ] }These rules are used together with SES to receive an email, but allows an external user to view the files that were put in the bucket by SES. I followed the instructions from here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
Also, you must specify prefix as
domain.co/user/WITH slash at the end when using the SDK, otherwise you'll get access denied. hope it helps anyone讨论(0) -
In my case the solution to this error was trying to remove some of Actions that I was applying. Some of them are not relevant to, or cannot work with this resource. In this case it wouldn't let me include these:
GetBucketAcl ListBucket ListBucketMultipartUploads
讨论(0) -
Error Action does not apply to any resource(s) in statement
Simply it means that the action (you wrote in policy) doesn't apply to the resource. I was trying to make public my bucket so that anybody can download from my bucket. I was getting error until I remove ( "s3:ListBucket") from my statement.
{ "Id": "Policyxxxx961", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmtxxxxx4365", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::bucket-name/*", "Principal": "*" } ] }Because list bucket doesn't apply inside the bucket, thus by deleting this action policy worked fine.
讨论(0) -
I have also faced the similar issue while creating the bucket
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AddPerm", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::mrt9949" ] } ] }I have changed the above code to
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AddPerm", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::mrt9949/*" ] } ] }add /* to your bucket name it will solve the issue
Here my bucket name is mrt9949
讨论(0)
加载中...
- 热议问题