S3 Bucket action doesn't apply to any resources

前端 未结 11 664
无人及你
无人及你 2021-01-30 09:55

I\'m following the instructions from this answer to generate the follow S3 bucket policy:

{
  \"Id\": \"Policy1495981680273\",
  \"Version\": \"2012-10-17\",
  \         


        
相关标签:
11条回答
  • 2021-01-30 10:34
    • Go to Amazon S3 in your instance.
    • Go to Permissions -> Public Access tab.
    • Select Edit and uncheck Block all public access and save.
    • You will see 'Public' tag in Permission tab and Access Control List.
    0 讨论(0)
  • 2021-01-30 10:35

    You have to check the pattern of the arn defined under the Resource tag for the Policy-

    "Resource": "arn:aws:s3:::s3mybucketname/*"

    With the addition of "/*" at the end would help to resolve the issue if you face it even after having your Public Access Policy Unblocked for your Bucket.

    0 讨论(0)
  • 2021-01-30 10:38

    Just ran into this issue and found a shorter solution for those that want to have ListBucket and GetObject in the same policy.

    {
      "Id": "Policyxxxx961",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Stmtxxxxx4365",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket",
            "s3:PutObject"
          ],
          "Effect": "Allow",
          "Resource": [
              "arn:aws:s3:::bucket-name",
              "arn:aws:s3:::bucket-name/*"
          ],
          "Principal": "*"
        }
      ]
    }
    
    0 讨论(0)
  • 2021-01-30 10:38

    From AWS > Documentation > AWS Identity and Access Management > User Guide https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

    It is clearly defined in a note, Some services do not let you specify actions for individual resources.

    you use the wildcard * in the Resource element

    "Resource": "arn:aws:s3:::surplace-audio/*"

    0 讨论(0)
  • Just removing the s3:ListBucket permission wasn't really a good enough solution for me, and probably isn't for many others.

    If you want the s3:ListBucket permission, you need to just have the plain arn of the bucket (without the /* at the end) as this permission applies to the bucket itself and not items within the bucket.

    As shown below, you have to have the s3:ListBucket permission as a separate statement from the permissions pertaining to items within the bucket like s3:GetObject and s3:PutObject:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:ListBucket"        
          ],
          "Principal": {
            "AWS": "[IAM ARN HERE]"
          },
          "Resource": "arn:aws:s3:::my-bucket-name"
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject", 
            "s3:PutObject"
          ],
          "Principal": {
            "AWS": "[IAM ARN HERE]"
          },
          "Resource": "arn:aws:s3:::my-bucket-name/*"
        }
      ]
    }
    
    0 讨论(0)
提交回复
热议问题