AWS S3 Policies List* vs Get*

Voiced by Amazon Polly

TL;DR

If you are are running into problems with ListObject or any other List command using the S3 SDK, make sure your policy statement specifies List at the bucket level, and Get at the object level.

Wrong

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3Config",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name"
                "arn:aws:s3:::bucket-name/config/*"
            ]
        }
    ]
}

Right

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3BucketList",
            "Effect": "Allow",
            "Action": [
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name"
            ]
        },
        {
            "Sid": "S3ObjectGet",
            "Effect": "Allow",
            "Action": [
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/config/*"
            ]
        }
    ]
}

403 Access Denied When Accessing Object in S3

I ran into this issue when I was trying to access restricted objects in an S3 bucket from an EC2 instance. I knew that the instance already had an IAM role attached so that it could use CodeDeploy. Next, I created a policy (the first, above) that I believed should allow access to the objects I needed (limited by an object prefix). After SSH’ing into the EC2 instance I found that I still couldn’t access the object, and received a 403 Access Denied on the ListObject command.

After some research and trial and error including some unfounded fears that my policy updates weren’t applying to my instance immediately (they do) I split out List and Get into two separate statements and lo and behold, the EC2 instance with the updated Role was able to access and copy the file immediately.

Leave a Reply

Your email address will not be published.