Why does this S3 policy not allow me to download files?

Question

This is the policy I have:

{
    "Version": "2012-10-17",
    "Id": "Policy1477084949492",
    "Statement": [
        {
            "Sid": "Stmt1477084932198",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::__redacted__"
        },
        {
            "Sid": "Stmt1477084947291",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::__redacted__/*"
        }
    ]
}

I am able to view the files in the bucket via aws s3 ls but am not able to download.

My understanding is that these permissions should give full access to any AWS identity.

Question- Is there some reason that is not the case here?

Answer 1

Your policy works for me when I test it in my account.

In IAM, a deny overwrites an allow, and I suspect that you have a conflicting policy somewhere. Check all user policies, and groups that the user is a member of for conflicting policies.

You don't explicitly say you are doing this, but just to cover all bases. If you are running the s3 get on an instance with an IAM Role associated with it, check to make sure that the IAM Roles permissions are appropriate.

Depending on what you are actually doing this could explain your situation. If you are using an EC2 instance with an IAM Role, it will be using that IAM Role for permissions by default not your IAM User permissions. If you run aws configure and explicitly configure it with IAM User issued key and secret then it will use the IAM User policies.

Best practices say that if you are performing work on an EC2 instance, where possible and where your use case allows for it; you should not be using keys and secrets on the host but using an EC2 IAM Role.

Additional Reading:

IAM Policy Evaluation Logic http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html