# AWS S3 bucket policy denies access despite correct IAM permissions because of incorrect ARN in policy

- **ID:** `security/aws-s3-bucket-policy-evaluation-denies-access-due-to-incorrect-arn`
- **Domain:** security
- **Category:** config_error
- **Error Code:** `AccessDenied`
- **Verification:** ai_generated
- **Fix Rate:** 92%

## Root Cause

The S3 bucket policy specifies an incorrect Amazon Resource Name (ARN) for the bucket or objects, causing the policy evaluation to deny access even when the IAM user or role has the correct permissions.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS S3 | active | — | — |
| AWS CLI 2.15.0 | active | — | — |
| Terraform 1.7.0 | active | — | — |
| Boto3 1.34.0 | active | — | — |

## Workarounds

1. **Review and correct the ARN in the bucket policy. Use the AWS S3 console or CLI to get the correct bucket ARN (e.g., `arn:aws:s3:::my-bucket` for the bucket, `arn:aws:s3:::my-bucket/*` for all objects). Update the policy accordingly. Example policy snippet: `{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}`.** (95% success)
   ```
   Review and correct the ARN in the bucket policy. Use the AWS S3 console or CLI to get the correct bucket ARN (e.g., `arn:aws:s3:::my-bucket` for the bucket, `arn:aws:s3:::my-bucket/*` for all objects). Update the policy accordingly. Example policy snippet: `{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}`.
   ```
2. **Use the AWS IAM Policy Simulator to test the bucket policy and identify the ARN mismatch. The simulator shows which statements are denying access and helps pinpoint the incorrect ARN.** (90% success)
   ```
   Use the AWS IAM Policy Simulator to test the bucket policy and identify the ARN mismatch. The simulator shows which statements are denying access and helps pinpoint the incorrect ARN.
   ```
3. **If using Terraform, ensure the `aws_s3_bucket_policy` resource uses the correct `bucket` attribute and ARN interpolation. Example: `resource "aws_s3_bucket_policy" "b" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`.** (85% success)
   ```
   If using Terraform, ensure the `aws_s3_bucket_policy` resource uses the correct `bucket` attribute and ARN interpolation. Example: `resource "aws_s3_bucket_policy" "b" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`.
   ```

## Dead Ends

- **Add more IAM permissions to the user or role (e.g., s3:ListBucket, s3:GetObject)** — The issue is not a lack of IAM permissions but an explicit deny in the bucket policy due to an incorrect ARN. Adding IAM permissions does not override a bucket policy deny. (70% fail)
- **Delete and recreate the bucket policy from scratch** — If the new policy also contains an incorrect ARN, the problem persists. The fix requires correcting the ARN, not recreating the policy blindly. (50% fail)
- **Set the bucket to public access to bypass the policy** — This violates security best practices and may expose sensitive data. It also does not address the root cause and introduces new vulnerabilities. (90% fail)