S3 PutObject Access Denied when deploying to

Question

I want to create an IAM user whose sole job is to deploy to AWS S3 Static Website.

I have this policy given to my DeployUser:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::www.<my-site-name>.com"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutBucketAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
        }
    ]
}

And this is my bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
        }
    ]
}

And this is the issue I get when I deploy (I am using Github Actions for this):

upload failed: public/404.html to s3://www.<my-site-name>.com/404.html An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

In Github, I passed the access key and secret of the user to my Action. I am pretty sure it is using that user to do the transaction. When I give S3FullAccess, my user is able to do it just fine. But I want to create a user with the AWS actions it only needs.

Where can I see better logs of this IAM user's actions?

Answer 1

Based on the comments, the solution was to add PutObject in the backed policy for the DeployUser.