Why is this policy attached to an IAM user not working

0
votes

Hoping you can help!

I created a new AWS test account.

I created a new bucket in S3 not selecting any of the recommended public or private settings. Says, "Objects can be public".

I then created an IAM user for programmatic access, downloaded access and secret keys.

I then created the following policy to grant access to said bucket as per this AWS article: https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

Here is the policy (bucketName redacted):

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::test-bucket"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": [
            "arn:aws:s3:::test-bucket/*"
        ]
    }
]
}

I then attached this policy to this user.

When using the SDK or Policy Simulator, confirming that I am using the proper keys, I keep getting Access Denied errors.

The policy simulator says, "Implicitly denied (no matching statements).

enter image description here Thanks in advance.

1
amazon-web-servicesamazon-s3amazon-iam

1 Answers

0
votes

The policy you attached to the user is fine. Just make sure you have right bucket name and using correct access keys while testing the actions.

I tested with same policy just changing the bucket name. Below are the outputs

  1. I have set the profile on my local machine with right Access Keys
  2. Below is the output before and after adding the policy

enter image description here

Alternatively, you can use below bucket policy.

Add below policy to your Bucket Policy. Change Account Number, Username & Bucket name accordingly

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::01234567890:user/test-user"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::bucketname"
        },
        {
            "Sid": "statement2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::01234567890:user/test-user"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::bucketname/*"
        }
    ]
}