s3:GetEncryptionConfiguration not a valid permission

Question

This documentation page that specifies the permission for s3 bucket subresources states that s3:GetEncryptionConfiguration and s3:PutEncryptionConfiguration are the permissions for giving access to the GET Bucket encryption operation. But when I apply these permissions in a policy, the policy editor informs me the actions are not recognized.

Furthermore, when I save the policy with these permissions, and apply the policy to a lambda function (or IAM user), the GET Bucket encryption operation operation fails. Used from boto3 in python, for example:

An error occurred (AccessDenied) when calling the GetBucketEncryption operation: Access Denied

When all s3 permissions or all Get permissions are applied (s3:* or s3:Get*), the operation succeeds. But when I check every single box for s3 actions in the policy editor to explicitly include each permission, the operation still fails with access denied.

What is the correct name for this action? I've tried simply GetBucketEncryption, but still no dice. There is clearly SOMETHING that gives permission for the operation or the wildcard actions wouldn't work.

Does not work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Works:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Answer 1

The question is solved now as at the time s3:GetEncryptionConfiguration was not recognized by the Visual Editor since it was released recently. The Visual Editor will not always have the latest actions released by AWS.

For the future reference you can always double check the exact actions a service would require in Service Authorization Reference. Mostly it is one to one with the API actions but occasionally, an API actions has slightly different named IAM action or has some dependencies. For example s3:ListObjectsV2 API action requires s3:ListBucket permission.

aws.permissions.cloud is also a third party reference that attempts to map API actions to permissions and vice versa. Keep it in mind, it may show less permissions required for an API action for newer services.

If the above isn't good enough, you should always check the documentation of the service regarding security and IAM policies, it should have covered. If it isn't, providing documentation feedback on your query would often results in edits or response to you from the technical writer behind of it. I'm not affiliated from AWS, but provided feedback a few times and received helpful responses.