IAM user policy returning 403 Forbidden on Amazon S3 bucket

5
votes

I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy: 

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "Stmt1424859689000",
        "Effect": "Allow",
        "Action": [
          "s3:DeleteObject",
          "s3:GetObject",
          "s3:PutObject"
        ],
        "Resource": [
          "arn:aws:s3:::vault-us/*"
        ]
      }
    ]
  }

When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine.

What I am trying to do is restrict certain IAM users to upload/downloads rights but am struggling to get this working.

Any suggestions would be appreciated!

2
amazon-web-servicesamazon-s3amazon-iam

2 Answers

10
votes

I managed to figure out that in order for upload to work I needed to include the action "s3:PutObjectAcl" here is the example of my IAM policy below:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetBucketLocation",
                    "s3:ListAllMyBuckets"
                ],
                "Resource": "arn:aws:s3:::*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::vault-us"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": [
                    "arn:aws:s3:::vault-us/*"
                ]
            }
        ]
    }
2
votes

First thing you can do is figure out if its the actions that's wrong or the resource scope, can you these two policies one at a time:

    "Action": [
      "s3:*"
    ],
    "Resource": [
      "arn:aws:s3:::vault-us/*"
    ]

and 

    "Action": [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:PutObject"
    ],
    "Resource": [
      "*"
    ]

If the first one works and the second fails, you don't have enough permissions to do your operation, e.g. try adding listBucket or similar (I tend to add all likely ones and gradually remove them until it breaks).

If the first one breaks and the second one works then your resource declaration is wrong, the most common fix I've found is to try adding:

    "Action": [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:PutObject"
    ],
    "Resource": [
      "arn:aws:s3:::vault-us/*",
      "arn:aws:s3:::vault-us"
    ]

If the both fail then chances are both your action and your resource is wrong.

Good Luck