Policy Denying Access On Amazon S3

Question

Using s3cmd the policy below allows me to ListAllBuckets like this :

s3cmd ls

and ListBucket like this :

s3cmd ls s3://backups/

but I cannot upload a file like this :

s3cmd put filename s3://backups/

I just get this error :

ERROR: S3 error: Access Denied

The policy is based on searching and many examples on the web, but I just cannot see where it's going wrong. The policy is to allow a user to just upload files to a backup directory (ultimately I don't even what them to list the buckets but I put that in just to check the policy was in fact being read at all).

Other possibly relevant info -

• I created the bucket using Dragon Disk (a front end for S3) with a different user
• This new IAM user is connected to the policy by belonging to a group that has the policy attached.

Here's the policy, note that the CreateObject and PutObject were the only two original entries, the others were added almost just to see what happened :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl",
                "s3:CreateObject",
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::backups/*"
        }
    ]
}

EDIT 1 -

Just to say that if I add this policy it works fine, so I know it's something to do with my policy :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

EDIT 2 - I have made another policy which I have used to create a bucket called "asdwasw432", just in case for whatever reason my UI created bucket was unusable. But I still cannot upload any file to it (Access Denied). I can list the bucket and create new buckets. All the advice seems to tell me to do exactly what I am doing below, but none if it works. Am I missing something else?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1397834652000",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "Stmt1397834745000",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::asdwasw432",
                "arn:aws:s3:::asdwasw432/*"
            ]
        }
    ]
}

Answer 1

Well, I've fixed it but I'm still confused.

Turns out that when I ran

s3cmd --configure

I accepted the default region of "US". This should have been set to "us-east-1". I found this out by running debug

s3cmd -d ..etc...

This showed me a line that contained this -

'reason': 'Bad Request', 'data': '<?xml version="1.0" 
encoding="UTF-8"?>\n<Error><Code>AuthorizationHeaderMalformed</Code>
<Message>The authorization header is malformed; the region \'US\' is
 wrong; expecting \'us-east-1\'</Message><Region>us-east-1</Region>

Rerunning the config and correcting the region solved it.

Please could someone explain why I was able to make it work at all with an incorrect region if the region was in fact the issue? Most recently I got everything to work by making

Action : "*"

which led me down another dead end of assuming I must be using the wrong commands. Just for completeness, this policy works for me (as long as the region is correct!) :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::asdwasw432",
                "arn:aws:s3:::asdwasw432/*"
            ]
        }
    ]
}

One final note, I have attached this policy to the user instead of the group. This makes sense for my usage but when I asked the question I was attaching it to a group and adding the user to that group. Not sure if that will make a difference or not.

Answer 2

"Resource": "arn:aws:s3:::backups/*"

...should be...

"Resource": "arn:aws:s3:::your_bucket_name/backups/*"

The * you are using elsewhere is working somewhat by accident, because it'a being interpreted as "all my buckets."