In a CloudFormation script I create an IAM::Policy that gets applied to a Kinesis Firehose. It has the following PolicyDocument Statement
Statement:
- Effect: Allow
Action:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:PutObject'
Resource: arn:aws:s3:::mybucketname
This comes from the AWS docs.
When I test this with Test Data it does not allow any data through. If I edit the Policy and add S3FullAccess
it begins allowing the Test Data through to the S3 bucket. I've also tried with
Resource: arn:aws:s3:::mybucketname/*
and get the same results.
If I change the CloudFormation script to this
Statement:
- Effect: Allow
Action: 's3:*'
Resource: '*'
it allows Test Data through.
What's wrong with the first statement?
These actions operate at the bucket level and require a resource of arn:aws:s3:::mybucketname
:
s3:GetBucketLocation
s3:ListBucket
s3:ListBucketMultipartUploads
These actions operate at the object level and require a resource of arn:aws:s3:::mybucketname/*
(or a particular prefix such as arn:aws:s3:::mybucketname/invoices/*
):
s3:AbortMultipartUpload
s3:GetObject
s3:PutObject
You can figure out whether an action operates at the Bucket or Object level by reviewing the Resource Types column on: Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management
You can either list the actions separately, or combine them with:
Action:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:PutObject'
Resource:
- arn:aws:s3:::mybucketname
- arn:aws:s3:::mybucketname/*
See if you can try cloudkast . It is an online cloudformation template generator.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.