S3 IAM policy for one bucket not granting access
Question
Can someone explain me why this policy doesn't work? What I want: full S3 control for the IAM user but limited to two buckets, defined by their ARNs. I always get Access Denied when trying to upload with AWS SDK from my server. Thank you
1 answers
solution1
2 2020-12-17 16:02:49
There are some possibilities here, it's hard to tell without seeing the full setup.
- There is a bucket policy which explicitly denies the action
- Bucket is encrypted and the user lacks KMS permissions
- There is conflicting policy which takes precedence, like SCP policy. Try using https://policysim.aws.amazon.com/home/index.jsp , it's not 100% accurate but it can give a hint
- You can also use CloudTrail to track all API calls made by user and determine which call failed
As an aside, you should be able to combine these policies by combining resources: Resource: ["arn_1", "arn_2"]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How to identify which policy/role is granting access to S3 bucket
IAM policy on S3 bucket
S3 PutObject operation gives Access Denied with IAM Role containing Policy granting access to S3
AWS IAM Group Policy to limit visibility & access to only one signle S3 bucket
AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?
Access is denied even if IAM user is specified in S3 bucket policy
IAM Policy: Users cannot access S3 bucket
IAM Policy to determine S3 Bucket access based on user tags
S3 Bucket Policy and IAM Role Conflicting
Permission denied for IAM policy to S3 bucket
Related Tags