{ "id": "security/aws-s3-bucket-policy-evaluation-denies-access-due-to-incorrect-arn", "signature": "AWS S3 bucket policy denies access despite correct IAM permissions because of incorrect ARN in policy", "signature_zh": "AWS S3 存储桶策略因 ARN 错误而拒绝访问,尽管 IAM 权限正确", "regex": "AccessDenied|bucket policy|ARN|S3", "domain": "security", "category": "config_error", "subcategory": null, "root_cause": "The S3 bucket policy specifies an incorrect Amazon Resource Name (ARN) for the bucket or objects, causing the policy evaluation to deny access even when the IAM user or role has the correct permissions.", "root_cause_type": "generic", "root_cause_zh": "S3 存储桶策略为存储桶或对象指定了错误的 Amazon Resource Name (ARN),导致策略评估拒绝访问,即使 IAM 用户或角色具有正确的权限。", "versions": [ { "version": "AWS S3", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS CLI 2.15.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Terraform 1.7.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Boto3 1.34.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Add more IAM permissions to the user or role (e.g., s3:ListBucket, s3:GetObject)", "why_fails": "The issue is not a lack of IAM permissions but an explicit deny in the bucket policy due to an incorrect ARN. Adding IAM permissions does not override a bucket policy deny.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "Delete and recreate the bucket policy from scratch", "why_fails": "If the new policy also contains an incorrect ARN, the problem persists. The fix requires correcting the ARN, not recreating the policy blindly.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "Set the bucket to public access to bypass the policy", "why_fails": "This violates security best practices and may expose sensitive data. It also does not address the root cause and introduces new vulnerabilities.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Review and correct the ARN in the bucket policy. Use the AWS S3 console or CLI to get the correct bucket ARN (e.g., `arn:aws:s3:::my-bucket` for the bucket, `arn:aws:s3:::my-bucket/*` for all objects). Update the policy accordingly. Example policy snippet: `{\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::123456789012:user/MyUser\"}, \"Action\": \"s3:GetObject\", \"Resource\": \"arn:aws:s3:::my-bucket/*\"}`.", "success_rate": 0.95, "how": "Review and correct the ARN in the bucket policy. Use the AWS S3 console or CLI to get the correct bucket ARN (e.g., `arn:aws:s3:::my-bucket` for the bucket, `arn:aws:s3:::my-bucket/*` for all objects). Update the policy accordingly. Example policy snippet: `{\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::123456789012:user/MyUser\"}, \"Action\": \"s3:GetObject\", \"Resource\": \"arn:aws:s3:::my-bucket/*\"}`.", "condition": "", "sources": [] }, { "action": "Use the AWS IAM Policy Simulator to test the bucket policy and identify the ARN mismatch. The simulator shows which statements are denying access and helps pinpoint the incorrect ARN.", "success_rate": 0.9, "how": "Use the AWS IAM Policy Simulator to test the bucket policy and identify the ARN mismatch. The simulator shows which statements are denying access and helps pinpoint the incorrect ARN.", "condition": "", "sources": [] }, { "action": "If using Terraform, ensure the `aws_s3_bucket_policy` resource uses the correct `bucket` attribute and ARN interpolation. Example: `resource \"aws_s3_bucket_policy\" \"b\" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`.", "success_rate": 0.85, "how": "If using Terraform, ensure the `aws_s3_bucket_policy` resource uses the correct `bucket` attribute and ARN interpolation. Example: `resource \"aws_s3_bucket_policy\" \"b\" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`.", "condition": "", "sources": [] } ], "workarounds_zh": [ "检查并更正存储桶策略中的 ARN。使用 AWS S3 控制台或 CLI 获取正确的存储桶 ARN(例如,存储桶使用 `arn:aws:s3:::my-bucket`,所有对象使用 `arn:aws:s3:::my-bucket/*`)。相应地更新策略。示例策略片段:`{\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::123456789012:user/MyUser\"}, \"Action\": \"s3:GetObject\", \"Resource\": \"arn:aws:s3:::my-bucket/*\"}`。", "使用 AWS IAM 策略模拟器测试存储桶策略并识别 ARN 不匹配。模拟器显示哪些语句正在拒绝访问,并帮助定位错误的 ARN。", "如果使用 Terraform,确保 `aws_s3_bucket_policy` 资源使用正确的 `bucket` 属性和 ARN 插值。示例:`resource \"aws_s3_bucket_policy\" \"b\" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html", "official_doc_section": null, "error_code": "AccessDenied", "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.92, "resolvable": "true", "first_seen": "2024-01-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }