AWS bucket policy- permission denied

Question

I'm trying to give a user from another AWS account access to the bucket itv-twitterstg-archive and I've added the following bucket policy. They say they are getting a permission denied message. Can anyone see any issues with this policy or recommend anything else I can try? (ps, I've changed the name of the bucket for this example). Also should a buckets policy come into effect as soon as you save it?

EDIT** To summarise, I want the user twitterstg-backup from account AWS account 456456615374 to be able to perform these actions:

 "s3:GetObject*"
 "s3:PutObject"
 "s3:PutObjectAcl"
 "s3:DeleteObject"
"s3:GetBucketLocation"
 "s3:GetBucketAcl"
  "s3:ListBucket"

.

{
    "Version": "2012-10-17",
    "Id": "twitterstg backup policy",
    "Statement": [
        {
            "Sid": "Allow read/write of Objects within archive from specific user",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::456456615374:user/twitterstg-backup"
            },
            "Action": [
                "s3:GetObject*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::itv-twitterstg-archive/*"
        },
        {
            "Sid": "Allow read/list of archive Bucket from specific user",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::456456615374:user/twitterstg-backup"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::itv-twitterstg-archive"
        }
    ]
}

Answer 1

Your policy as listed in the Question is working perfectly fine for me!

Here's what I did:

In Account A:

• Created an IAM User (User-A)
• Obtained an Access Key & Secret Key for the User

In Account B:

• Created an Amazon S3 bucket (Bucket-B)
• Added your policy as the Bucket Policy, with some changes:
  • As Principal, I inserted the ARN of User-1
  • As Resource, used the name of my Amazon S3 bucket
• Uploaded an object to the bucket

I then used the credentials from User-A to list the contents of Bucket-B:

aws s3 ls s3://bucket-b --profile user-a

I also copied a file to Bucket-B:

aws s3 cp foo s3://bucket-b --profile user-a

Bottom line: It's working fine. You should investigate why your users are having a problem. You should also try to reproduce their situation (eg by trying it for yourself).

Answer 2

Please note that the principal should be Account-B (i.e. the other account) value.

"Principal": {
                "AWS": "arn:aws:iam::456456615374:user/twitterstg-backup"
            },

Example:-

 "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },

Second Account:-

Should setup the IAM user with appropriate policy as well.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example",
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::itv-twitterstg-archive"
         ]
      }
   ]
}

Refer this full documentation

How to find account id:-

Please follow the below steps to get the account id of Account-B.