AccessDenied security config_error ai_generated true

AWS S3 存储桶策略因 ARN 错误而拒绝访问,尽管 IAM 权限正确

AWS S3 bucket policy denies access despite correct IAM permissions because of incorrect ARN in policy

ID: security/aws-s3-bucket-policy-evaluation-denies-access-due-to-incorrect-arn

其他格式: JSON · Markdown 中文 · English
92%修复率
88%置信度
1证据数
2024-01-10首次发现

版本兼容性

版本状态引入弃用备注
AWS S3 active
AWS CLI 2.15.0 active
Terraform 1.7.0 active
Boto3 1.34.0 active

根因分析

S3 存储桶策略为存储桶或对象指定了错误的 Amazon Resource Name (ARN),导致策略评估拒绝访问,即使 IAM 用户或角色具有正确的权限。

English

The S3 bucket policy specifies an incorrect Amazon Resource Name (ARN) for the bucket or objects, causing the policy evaluation to deny access even when the IAM user or role has the correct permissions.

generic

官方文档

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html

解决方案

  1. 检查并更正存储桶策略中的 ARN。使用 AWS S3 控制台或 CLI 获取正确的存储桶 ARN(例如,存储桶使用 `arn:aws:s3:::my-bucket`,所有对象使用 `arn:aws:s3:::my-bucket/*`)。相应地更新策略。示例策略片段:`{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}`。
  2. 使用 AWS IAM 策略模拟器测试存储桶策略并识别 ARN 不匹配。模拟器显示哪些语句正在拒绝访问,并帮助定位错误的 ARN。
  3. 如果使用 Terraform,确保 `aws_s3_bucket_policy` 资源使用正确的 `bucket` 属性和 ARN 插值。示例:`resource "aws_s3_bucket_policy" "b" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`。

无效尝试

常见但无效的做法:

  1. Add more IAM permissions to the user or role (e.g., s3:ListBucket, s3:GetObject) 70% 失败

    The issue is not a lack of IAM permissions but an explicit deny in the bucket policy due to an incorrect ARN. Adding IAM permissions does not override a bucket policy deny.

  2. Delete and recreate the bucket policy from scratch 50% 失败

    If the new policy also contains an incorrect ARN, the problem persists. The fix requires correcting the ARN, not recreating the policy blindly.

  3. Set the bucket to public access to bypass the policy 90% 失败

    This violates security best practices and may expose sensitive data. It also does not address the root cause and introduces new vulnerabilities.