AWS S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

Question

I have an AWS account with read/write permissions as shown below:

I'd like to make it so that an IAM user can download files from an S3 bucket but I'm getting access denied when executing aws s3 sync s3://<bucket_name> . I have tried various things, but not to avail. Some steps that I did:

1. Created a user called s3-full-access
2. Executed aws configure in my CLI and entered the generated access key id and secret access key for the above user
3. Created a bucket policy (shown below) that I'd hoped grants access for my user created in first step.

My bucket has a folder name AffectivaLogs in which files were being added anonymously by various users, and it seems like though the bucket is public, the folder inside it is not and I am not even able to make it public, and it leads to following error.

Following are the public access settings:

Update: I updated the bucket policy as follows, but it doesn't work.

Answer 1

To test the situation, I did the following:

• Created an IAM User with no attached policies
• Created an Amazon S3 bucket
• Turned off S3 block public access settings:
  • Block new public bucket policies
  • Block public and cross-account access if bucket has public policies
• Added a Bucket Policy granting s3:* access to the contents of the bucket for the IAM User

I then ran aws s3 sync and got Access Denied.

I then modified the policy to also permit access to the bucket itself:

{
    "Id": "Policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket/*",
                "arn:aws:s3:::my-bucket"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/stack-user"
                ]
            }
        }
    ]
}

This worked.

Bottom line: Also add permissions to access the bucket, in addition to the contents of the bucket. (I suspect it is because aws s3 sync requires listing of bucket contents, in addition to accessing the objects themselves.)

Answer 2

If you use KMS encryption enabled on bucket you should also add policy that allows you to decrypt data using KMS key.

Answer 3

You can configure the S3 policy with the required principal

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountId:user/*
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket"
        },
        {
            "Sid": "GetObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountId:user/*
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

Or you can create IAM policy and attached it to the role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::bucket"
        },
        {
            "Sid": "GetObject",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}