Amazon S3 AccessDenied Error with Only arn:aws:s3:::bucket Setting

Tadashi Shigeoka ·  Thu, July 29, 2021

I’ll introduce how I got an AccessDenied error on Amazon S3 with only arn:aws:s3:::bucket configured, and successfully resolved it by also setting arn:aws:s3:::bucket/*.

AWS

Background: AccessDenied Error When Accessing After File Upload to S3

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>xxxxxx</RequestId>
<HostId>xxxxxx</HostId>
</Error>

Solution: Specify Object ARN arn:aws:s3:::bucket/*

I had only specified the bucket ARN arn:aws:s3:::bucket, so I resolved it by specifying the object ARN arn:aws:s3:::bucket/*.

Specifying Target Resources

When allowing/denying certain Actions in bucket policies or IAM policies, specify the target Resource with ARN. For Actions on buckets, specify the bucket ARN (arn:aws:s3:::bucket) as the Resource. For Actions on objects, specify the object ARN (arn:aws:s3:::bucket/*) as the Resource.

Japanese: バケットポリシーやIAMポリシーで、ある Action を許可/拒否する場合、対象 Resource を ARN で指定する。 バケットに対する Action は Resource としてバケットの ARN(arn:aws:s3:::bucket) を指定する。 オブジェクトに対する Action は Resource としてオブジェクトの ARN(arn:aws:s3:::bucket/*) を指定する。

Source: S3のアクセスコントロールまとめ - Qiita

That’s all from the Gemba.