Action does not apply to any resource(s) in statement | AWS | S3

mdparthi · April 21, 2022, 5:54am

The issue most likely to occur for s3 bucket permissions , either if you would have defined a ListBucket permission along with get or put object else the resource definition might be wrong . Please find the working solution for the above mention issue.

Issue for the policy

{
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Principal": "*"
    }
  ]
}

Resolution:
Removing the s3:ListBucket permission is not a good enough solution .
If you want the s3:ListBucket permission, you need to just have the plain arn of the bucket (without the /* at the end) as this permission applies to the bucket itself and not items within the bucket.

As shown below, you have to have the s3:ListBucket permission as a separate statement from the permissions pertaining to items within the bucket like s3:GetObject and s3:PutObject:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"        
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject", 
        "s3:PutObject"
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}