# AWS S3 存储桶策略因 ARN 错误而拒绝访问，尽管 IAM 权限正确

- **ID:** `security/aws-s3-bucket-policy-evaluation-denies-access-due-to-incorrect-arn`
- **领域:** security
- **类别:** config_error
- **错误码:** `AccessDenied`
- **验证级别:** ai_generated
- **修复率:** 92%

## 根因

S3 存储桶策略为存储桶或对象指定了错误的 Amazon Resource Name (ARN)，导致策略评估拒绝访问，即使 IAM 用户或角色具有正确的权限。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS S3 | active | — | — |
| AWS CLI 2.15.0 | active | — | — |
| Terraform 1.7.0 | active | — | — |
| Boto3 1.34.0 | active | — | — |

## 解决方案

1. ```
   检查并更正存储桶策略中的 ARN。使用 AWS S3 控制台或 CLI 获取正确的存储桶 ARN（例如，存储桶使用 `arn:aws:s3:::my-bucket`，所有对象使用 `arn:aws:s3:::my-bucket/*`）。相应地更新策略。示例策略片段：`{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}`。
   ```
2. ```
   使用 AWS IAM 策略模拟器测试存储桶策略并识别 ARN 不匹配。模拟器显示哪些语句正在拒绝访问，并帮助定位错误的 ARN。
   ```
3. ```
   如果使用 Terraform，确保 `aws_s3_bucket_policy` 资源使用正确的 `bucket` 属性和 ARN 插值。示例：`resource "aws_s3_bucket_policy" "b" { bucket = aws_s3_bucket.my_bucket.id policy = data.aws_iam_policy_document.bucket_policy.json }`。
   ```

## 无效尝试

- **Add more IAM permissions to the user or role (e.g., s3:ListBucket, s3:GetObject)** — The issue is not a lack of IAM permissions but an explicit deny in the bucket policy due to an incorrect ARN. Adding IAM permissions does not override a bucket policy deny. (70% 失败率)
- **Delete and recreate the bucket policy from scratch** — If the new policy also contains an incorrect ARN, the problem persists. The fix requires correcting the ARN, not recreating the policy blindly. (50% 失败率)
- **Set the bucket to public access to bypass the policy** — This violates security best practices and may expose sensitive data. It also does not address the root cause and introduces new vulnerabilities. (90% 失败率)