How to specify AWS S3 bucket policy

Question

My goal is to create technical user who will have only API access and set of allowed actions to specific S3 bucket.

I used "Policy generator" and copy/pasted ARN of the bucket. I also copy/pasted ARN of the user (IAM console-user profile). To make test simpler, I granted access to all actions ("s3:*)

During user creation I did not grant any right. I only checked "Use Access keys" and downloaded credentials.csv file.

Testing scenario is following:

• I have [default] profile in file ~/.aws/credentials with my own credentials
• I run code to get bucket info. Works fine.
• I add credentials of technical user to ~/.aws/credentials under different profile [svc_account]
• I activate profile of technical user [svc_account]
• When I rerun the same command which worked with my credentials, I got error "Access denied"

Here is my policy I applied to bucket:

{
"Id": "Policy4321",
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt12345",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::my-bucket-name",
        "Principal": {
            "AWS": [
                "arn:aws:iam::111111111111:user/svc_acc"
            ]
        }
    }
  ]
}

What is wrong with my approach?

Answer 1

Your approach is fine, but your policy is not correct.

This policy only applies to the bucket itself, but not to the objects it holds. So depending on the command you invoke, you may get "Access Denied". Add /* to your bucket ARN to apply it to the objects.

"Resource": "arn:aws:s3:::my-bucket-name/*"

However, I would use IAM policies in this case as it is bound to a user. You can also easily check what the user can access just by checking his/her attached policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::my-bucket-name/*"]
    }
  ]
}