What is the correct syntax for Cloudformation AWS::IAM::Policy for S3 full access

Question

In a CloudFormation script I create an IAM::Policy that gets applied to a Kinesis Firehose. It has the following PolicyDocument Statement

Statement:
  - Effect: Allow
    Action:
      - 's3:AbortMultipartUpload'
      - 's3:GetBucketLocation'
      - 's3:GetObject'
      - 's3:ListBucket'
      - 's3:ListBucketMultipartUploads'
      - 's3:PutObject'
    Resource: arn:aws:s3:::mybucketname

This comes from the AWS docs.

When I test this with Test Data it does not allow any data through. If I edit the Policy and add S3FullAccess it begins allowing the Test Data through to the S3 bucket. I've also tried with

Resource: arn:aws:s3:::mybucketname/*

and get the same results.

If I change the CloudFormation script to this

Statement:
  - Effect: Allow
    Action: 's3:*'
    Resource: '*'

it allows Test Data through.

What's wrong with the first statement?

Answer 1

These actions operate at the bucket level and require a resource of arn:aws:s3:::mybucketname :

• s3:GetBucketLocation
• s3:ListBucket
• s3:ListBucketMultipartUploads

These actions operate at the object level and require a resource of arn:aws:s3:::mybucketname/* (or a particular prefix such as arn:aws:s3:::mybucketname/invoices/* ):

• s3:AbortMultipartUpload
• s3:GetObject
• s3:PutObject

You can figure out whether an action operates at the Bucket or Object level by reviewing the Resource Types column on: Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management

You can either list the actions separately, or combine them with:

    Action:
      - 's3:AbortMultipartUpload'
      - 's3:GetBucketLocation'
      - 's3:GetObject'
      - 's3:ListBucket'
      - 's3:ListBucketMultipartUploads'
      - 's3:PutObject'
    Resource:
      - arn:aws:s3:::mybucketname
      - arn:aws:s3:::mybucketname/*

Answer 2

See if you can try cloudkast . It is an online cloudformation template generator.