AWS S3 bucket policy denies access despite correct IAM permissions because of incorrect ARN in policy
ID: security/aws-s3-bucket-policy-evaluation-denies-access-due-to-incorrect-arn
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS S3 | active | — | — | — |
| AWS CLI 2.15.0 | active | — | — | — |
| Terraform 1.7.0 | active | — | — | — |
| Boto3 1.34.0 | active | — | — | — |
Root Cause
The S3 bucket policy specifies an incorrect Amazon Resource Name (ARN) for the bucket or objects, causing the policy evaluation to deny access even when the IAM user or role has the correct permissions.
generic中文
S3 存储桶策略为存储桶或对象指定了错误的 Amazon Resource Name (ARN),导致策略评估拒绝访问,即使 IAM 用户或角色具有正确的权限。
Official Documentation
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.htmlWorkarounds
-
95% success Review and correct the ARN in the bucket policy. Use the AWS S3 console or CLI to get the correct bucket ARN (e.g., `arn:aws:s3:::my-bucket` for the bucket, `arn:aws:s3:::my-bucket/*` for all objects). Update the policy accordingly. Example policy snippet: `{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}`.
Review and correct the ARN in the bucket policy. Use the AWS S3 console or CLI to get the correct bucket ARN (e.g., `arn:aws:s3:::my-bucket` for the bucket, `arn:aws:s3:::my-bucket/*` for all objects). Update the policy accordingly. Example policy snippet: `{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}`. -
90% success Use the AWS IAM Policy Simulator to test the bucket policy and identify the ARN mismatch. The simulator shows which statements are denying access and helps pinpoint the incorrect ARN.
Use the AWS IAM Policy Simulator to test the bucket policy and identify the ARN mismatch. The simulator shows which statements are denying access and helps pinpoint the incorrect ARN.
-
85% success If using Terraform, ensure the `aws_s3_bucket_policy` resource uses the correct `bucket` attribute and ARN interpolation. Example: `resource "aws_s3_bucket_policy" "b" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`.
If using Terraform, ensure the `aws_s3_bucket_policy` resource uses the correct `bucket` attribute and ARN interpolation. Example: `resource "aws_s3_bucket_policy" "b" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`.
中文步骤
检查并更正存储桶策略中的 ARN。使用 AWS S3 控制台或 CLI 获取正确的存储桶 ARN(例如,存储桶使用 `arn:aws:s3:::my-bucket`,所有对象使用 `arn:aws:s3:::my-bucket/*`)。相应地更新策略。示例策略片段:`{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}`。使用 AWS IAM 策略模拟器测试存储桶策略并识别 ARN 不匹配。模拟器显示哪些语句正在拒绝访问,并帮助定位错误的 ARN。
如果使用 Terraform,确保 `aws_s3_bucket_policy` 资源使用正确的 `bucket` 属性和 ARN 插值。示例:`resource "aws_s3_bucket_policy" "b" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`。
Dead Ends
Common approaches that don't work:
-
Add more IAM permissions to the user or role (e.g., s3:ListBucket, s3:GetObject)
70% fail
The issue is not a lack of IAM permissions but an explicit deny in the bucket policy due to an incorrect ARN. Adding IAM permissions does not override a bucket policy deny.
-
Delete and recreate the bucket policy from scratch
50% fail
If the new policy also contains an incorrect ARN, the problem persists. The fix requires correcting the ARN, not recreating the policy blindly.
-
Set the bucket to public access to bypass the policy
90% fail
This violates security best practices and may expose sensitive data. It also does not address the root cause and introduces new vulnerabilities.