AWS S3 Bucket Policy is not valid

Question

I am getting very frustrated with AWS today as it seems to provide validation errors that have literally no relevance to the actual issues (its almost like working on Windows 3.1 again) and the frustration keeps on coming with this latest irritation using the policies on S3.

I am trying to extend an existing S3 bucket policy on a bucket that has ACLs disabled, in order to enable server access logs.

I have extended the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MyS3Bucket/*"
        },
-- NEW PART BELOW ---
    {
            "Sid": "S3ServerAccessLogsPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::MyS3LogsBucket/*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:::MyS3Bucket"
                },
                "StringEquals": {
                    "aws:SourceAccount": "MyAccountId"
                }
            }
        }       
    ]
}

However, no matter if I follow the documentation found at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.html#object-ownership-server-access-logs ) or use the in-built policy generator within S3, or the other policy generator found at https://awspolicygen.s3.us-east-1.amazonaws.com/policygen.html .

I am constantly getting errors such as "Policy has invalid resource".

Please can someone tell me what is wrong with the above because the resource does exist and the name is copied directly from the resource itself, so there are no typos.

Answer 1

I suspect that you have the Source and Destination buckets switched.

Let's say:

• Source bucket is the one that you want to track via Server Access Logging
• Destination bucket is where you would like the logs stored

The policy should be placed on the Destination bucket . Here is the policy that was automatically created for me on my Destination bucket when I activated Server Access Logging:

{
    "Version": "2012-10-17",
    "Id": "S3-Console-Auto-Gen-Policy",
    "Statement": [
        {
            "Sid": "S3PolicyStmt-DO-NOT-MODIFY",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::destination-bucket/*"
        }
    ]
}

It would seem that you are placing the policy on the Source bucket, based upon the fact that you have a policy that is making the entire bucket public, and the fact that you said you are 'extending' an existing policy.

Basically, the bucket that is referenced in Resource should be the bucket on which the policy is being placed. In your policy above, two different buckets are being referenced in the Resource fields.