'How to create a public Multi-Region Access Point policy?
I am experimenting with multi-region access points and their over-complicated policy syntax, and I can't get the simplest things to work.
I have 3 buckets spawned across the globa and created a single access point. All my items are private as my multi-region access point policy is not configured yet.
So far I have this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3::<my account id>:accesspoint/xyz.mrap"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "<my account id>"
}
}
}
]
}
The error indicated states:
Action does not apply to any resource(s) in statement
Their example uses "Action" : "*", but I want to limit this.
Can anyone help out what is wrong with my policy?
amazon-web-services
amazon-s3Solution 1:[1]
s3:GetObject applies to objects only. Your arn:aws:s3::<my account id>:accesspoint/xyz.mrap represents access point, not its objects. Thus it should be:
"Resource": [
"arn:aws:s3::<my account id>:accesspoint/xyz.mrap/*"
],
Solution 2:[2]
Per docs, the access point policy needs the /object/* prefix:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3::123456789012:accesspoint/xyz.mrap",
"arn:aws:s3::123456789012:accesspoint/xyz.mrap/object/*"
]
}
]
}
It looks like you are trying to grant public access with a principal of "AWS": "*", the steps to review:
- Ensure your MRAP is created with public access block off
- Delegate permissions from your buckets up to your MRAP, per this guide, ensuring the bucket is not getting in the way
- Create the MRAP Policy to suit
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Marcin |
| Solution 2 | danialk |