Menu
I have set a permission on the bucket that allows "Authenticated Users" to list, upload, and delete from a bucket I created. This seems to allow me to upload files to the bucket, but it appears that downloading files from the bucket is not covered by this permission, and I instead need to define a policy for the bucket. It's not clear to me how to set such a policy. I tried the policy generator with my best guesses at what I should fill in, but the result was not a valid policy when I pasted it in as a new policy for the bucket (it failed with the message Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"). Can someone explain what is wrong with the following policy and how to set it correctly to allow authenticated users to retrieve files from the bucket?
{ "Id": "Policy-some-number", "Statement": [ { "Sid": "Stmt-some-number", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket/*", "Principal": { "AWS": [ "*" ] } } ] } 
681
To create or edit a bucket policyIn the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit. Choose Permissions. Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
What Is an S3 Bucket Policy? An S3 bucket policy is an object that allows you to manage access to specific Amazon S3 storage resources. You can specify permissions for each resource to allow or deny actions requested by a principal (a user or role).
You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.
The easiest way to secure your bucket is by using the AWS Management Console. First select a bucket and click the Properties option within the Actions drop down box. Now select the Permissions tab of the Properties panel. Verify that there is no grant for Everyone or Authenticated Users.
s3:GetObject applies to the objects in the bucket so the Resource is correct: "Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket applies to the Bucket itself and so the Resource should be "Resource": "arn:aws:s3:::my-bucket"
your resulting policy should resemble:
{ "Id": "Policy-some-number", "Statement": [ { "Sid": "Stmt-some-number", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket/*", "Principal": { "AWS": [ "*" ] } }, { "Sid": "Stmt-some-other-number", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket", "Principal": { "AWS": [ "*" ] } } ] } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
