DEVHIDE
Login Or Sign up

How to create a public Multi-Region Access Point policy?

1.6k Views Asked by At

I am experimenting with multi-region access points and their over-complicated policy syntax, and I can't get the simplest things to work.

I have 3 buckets spawned across the globa and created a single access point. All my items are private as my multi-region access point policy is not configured yet.

So far I have this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3::<my account id>:accesspoint/xyz.mrap"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:DataAccessPointAccount": "<my account id>"
                }
            }
        }
    ]
}

The error indicated states:

Action does not apply to any resource(s) in statement

Their example uses "Action" : "*", but I want to limit this.

Can anyone help out what is wrong with my policy?

amazon-web-services amazon-s3 amazon-s3-access-points
Original Q&A
2

There are 2 best solutions below

2
On BEST ANSWER

s3:GetObject applies to objects only. Your arn:aws:s3::<my account id>:accesspoint/xyz.mrap represents access point, not its objects. Thus it should be:

            "Resource": [
                "arn:aws:s3::<my account id>:accesspoint/xyz.mrap/*"
            ],
1
On

Per docs, the access point policy needs the /object/* prefix:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3::123456789012:accesspoint/xyz.mrap",
                "arn:aws:s3::123456789012:accesspoint/xyz.mrap/object/*"
            ]
        }
    ]
}

It looks like you are trying to grant public access with a principal of "AWS": "*", the steps to review:

  1. Ensure your MRAP is created with public access block off
  2. Delegate permissions from your buckets up to your MRAP, per this guide, ensuring the bucket is not getting in the way
  3. Create the MRAP Policy to suit

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-S3-ACCESS-POINTS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.