I have the following IAM policy for a user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1395161912000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "list",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
The goal is to let the user upload files to the bucket, but not overwrite or delete. It's for backup. I started out with ListBucket and PutObject, but added * as it didn't work. Not even * lets the user upload files, just getting Access Denied.
When I try the Simulator, it returns Denied - Implicitly denied (no matching statements found). for ListBucket, which seems odd since I've implicitly allowed that.
I've tried both Cyberduck and 3Hub as S3 clients.
Any idea what's wrong?
When crafting Amazon IAM policies for Amazon S3, you need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).
In particular, the
Resourcespecification of your policy needs to address the appropriate target entities according to the following patterns (see e.g. the various Example Policies for Amazon S3):arn:aws:s3:::*arn:aws:s3:::<bucket>arn:aws:s3:::<bucket>/<object>Solution
You are encountering
Access Denied, because you've specified a bucket level resource forPutObject, which requires an object level resource specification likearn:aws:s3:::<bucket>/*- accordingly, the following policy should cover your sample use case: