aws s3 bucket policy

Question

I have created a simple policy to access a specific bucket for a authenticated(access key/password )user. Following is policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::xxxxxxx/*"
            ]
        }
    ]
}

But user cannot able to access it. if i replace Resource with "arn:aws:s3:::*", it works but show all buckets to attached user.

Answer 1

I Nodejs you can do that like:

const policy = {
  Version: '2012-10-17',
  Statement: [
    {
      Sid: 'PublicListGet',
      Effect: 'Allow',
      Principal: '*',
      Action: ['s3:List*', 's3:Get*', 's3:Put*'],
      Resource: [`arn:aws:s3:::${bucketName}`, `arn:aws:s3:::${bucketName}/*`]
    }
  ]
};

const bucketPolicyParams = {
  Bucket: bucketName,
  Policy: JSON.stringify(policy)
};

await s3.putBucketPolicy(bucketPolicyParams).promise();

Answer 2

As E.J. Brennan suggested you can add the bucket itself to Resource list but that would give the user the right to delete the bucket itself. If you just want them to view the bucket and be able to modify the objects inside it, you can grant list access to the bucket in addition to what you currently have like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::xxxxxxx"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::xxxxxxx/*"
            ]
        }
    ]
}

Answer 3

Try this instead:

{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::xxxxxxx",
        "arn:aws:s3:::xxxxxxx/*"
      ]
    }
  ]
}

You need to grant access within the bucket (the /*) and then to the bucket itself, which is the part you are missing.