We Keep Coding

Getting "Insufficient permissions to list objects" error with S3 bucket policy

I setup a bucket policy to allow two external users arn:aws:iam::123456789012:user/user1 and arn:aws:iam::123456789012:user/user2 to access everything under a particular path in our S3 bucket - s3:my-bucket-name/path/. But the user is getting the following error when trying to access the path on AWS console:
Insufficient permissions to list objects
After you or your AWS administrator have updated your permissions to allow the s3:ListBucket action, refresh the page. Learn more about identity and access management in Amazon S3.
Here's the policy document. What am I missing here?
{
"Version": "2012-10-17",
"Id": "allowAccessToBucketPath",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user1",
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": [
"s3:PutObject",
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::my-bucket-name/path/*",
"arn:aws:s3:::my-bucket-name/path"
]
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user1",
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": "path/*"
}
}
}
]
}

I would check if you have any ACLs enabled for your bucket. In your bucket settings, check if Object Ownership is set to "ACLs enabled", in which case I would suggest you change it to "ACLs disabled".
If that doesn't work, I would suggest using the IAM Access Analyzer to help troubleshoot -- if the Access Analyzer says that your policy does in fact allow the access you want, then that would indicate that this policy is correctly defined, and you have other configurations on your bucket preventing the access.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html

What is Wrong With My AWS Policy?

I am trying to give a programmatic IAM user access to a single bucket.
I setup the following policy and attached it to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Trying to programatically upload a file I got a 403.
I got this policy from here:
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.
There are no other policies attached to this user.

Nothing is wrong with your policy. Make sure you're using the right bucket name in the IAM policy and to add the policy to the user.
You can test it with IAM Policy Simulator. Maybe you should consider the time to policies take effect, but it's "almost immediately". See this answer.

You can try this policy to give full access to a particular bucket:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKETNAME>/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.

AWS IAM Group Policy to limit visibility & access to only one signle S3 bucket

I created a bucket which host some web small web page and a few docs which should only be read accessible by users which have a certain login in IAM. These users should only have (read) access to this specific bucket and no other bucket. Ideally these users shouldn't even know that there are other buckets out there.
For this I create a "test" user in IAM, added the user to a group and assigned a group policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowS3GetActionsInPrivateFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my.web.page/*"
]
}
]
}
When I login with the test user and navigate to S3 I can see all my other buckets and when I click on another bucket I get a "Sorry, no permission" error. This kinda works but ideally the user shouldn't even be able to even list any other buckets.
When I go to https://s3.amazonaws.com/my.web.page/index.html I get a AccessDenied XML message. How can should I modify the policy to be able to open a html page in this bucket with a browser.
The user still has write access to the bucket. How can I only grant read access?
Your help is much appreciated.

Use this policy it will work. Where it says example bucket put you bucket name
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::examplebucket/*"
]
},
{
"Sid": "AllowS3GetActionsInPrivateFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my.web.page/*"
]
}
]
}

S3 security policy seems to have no effect

I am trying to use S3 as maven repo. I created 2 IAM users for write and read, and used the Policy Generator to create the following bucket policy, which I added to the bucket.
{
"Id": "Policy1442851625435",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1442851437396",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::closeup-maven/*",
"Principal": {
"AWS": [
"arn:aws:iam::642063966117:user/maven-write"
]
}
},
{
"Sid": "Stmt1442851517972",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::closeup-maven/*",
"Principal": {
"AWS": [
"arn:aws:iam::642063966117:user/maven-read"
]
}
},
{
"Sid": "Stmt1442851587864",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::closeup-maven",
"Principal": {
"AWS": [
"arn:aws:iam::642063966117:user/maven-write",
"arn:aws:iam::642063966117:user/maven-read"
]
}
}
]
}
[anonymized]
When I run the Policy Simulator, I get denied for both users.
When I go to the bucket and set Everyone-access for everything, I still get denied in the Policy Simulator, when I am testing with these two users.
What am I missing?

I noticed a disclaimer in the IAM Policy Simulator that says it does not take into account policies attached to resources, like your bucket policy. Maybe if you had the policy attached separately to the IAM users, the simulator would evaluate them.
This action belongs to a service that supports access control mechanisms attached to resources.The policy simulator does not model these mechanisms, so results may differ in your production environment.

On Amazon S3 I'm able to give an individual object download rights but cannot for the entire bucket

I've got images on S3 that I'd like to share with my Rails app. I can get access to the images by setting the permission: Everybody - Open/Download on the S3 UI. I want to set this permission for all objects in the bucket. The bucket permission UI doesn't have the option of Open/Download for users. What is the action I need to assign in the bucket config command to allow this? Here is my current command:
{
"Version": "2008-10-17",
"Id": "anid",
"Statement": [
{
"Sid": "ansid",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::haggard/akey"
}
]
}

Your policy is probably wrong, this one is working fine for Everyone (Anonymous) users:
{
"Id": "Policy1416915063227",
"Statement": [
{
"Sid": "AddCannedAcl",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
I recommend to use the policy generator at the following link:
http://awspolicygen.s3.amazonaws.com/policygen.html