发表新帖
发表新帖

S3 Bucket action doesn't apply to any resources

前端 未结
关注
11 672
无人及你
无人及你 2021-01-30 09:55

I\'m following the instructions from this answer to generate the follow S3 bucket policy:

{
  \"Id\": \"Policy1495981680273\",
  \"Version\": \"2012-10-17\",
  \
相关标签:
11条回答
  • 忘了有多久
    2021-01-30 10:34
    • Go to Amazon S3 in your instance.
    • Go to Permissions -> Public Access tab.
    • Select Edit and uncheck Block all public access and save.
    • You will see 'Public' tag in Permission tab and Access Control List.
    0 讨论(0)
  • 挽巷
    2021-01-30 10:35

    You have to check the pattern of the arn defined under the Resource tag for the Policy-

    "Resource": "arn:aws:s3:::s3mybucketname/*"

    With the addition of "/*" at the end would help to resolve the issue if you face it even after having your Public Access Policy Unblocked for your Bucket.

    0 讨论(0)
  • 终归单人心
    2021-01-30 10:38

    Just ran into this issue and found a shorter solution for those that want to have ListBucket and GetObject in the same policy.

    {
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
          "arn:aws:s3:::bucket-name",
          "arn:aws:s3:::bucket-name/*"
      ],
      "Principal": "*"
    }
  ]
}
    0 讨论(0)
  • 遥遥无期
    2021-01-30 10:38

    From AWS > Documentation > AWS Identity and Access Management > User Guide https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

    It is clearly defined in a note, Some services do not let you specify actions for individual resources.

    you use the wildcard * in the Resource element

    "Resource": "arn:aws:s3:::surplace-audio/*"

    0 讨论(0)
  • 不要未来只要你来
    2021-01-30 10:40

    Just removing the s3:ListBucket permission wasn't really a good enough solution for me, and probably isn't for many others.

    If you want the s3:ListBucket permission, you need to just have the plain arn of the bucket (without the /* at the end) as this permission applies to the bucket itself and not items within the bucket.

    As shown below, you have to have the s3:ListBucket permission as a separate statement from the permissions pertaining to items within the bucket like s3:GetObject and s3:PutObject:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"        
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject", 
        "s3:PutObject"
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}
    0 讨论(0)
 看不清?
提交回复
热议问题