Does AmazonS3FullAccess managed policy in group not give S3 permission?

Question

Does AmazonS3FullAccess managed policy in group not give S3 permission?

I have an S3 bucket that has CloudFront domain access identifier in its political permission:

{
  "Version": "2008-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<my-bucket>/*"
    }
  ]
}

In addition, I created a group and connected the AmazonS3FullAccess managed policy to it and added an IAM user to this group. Managed policy looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

, - , 403 ( ). , - , , . , ARN , . ? , , .

: , , , , Amazon . , , EC2 . , , ( aws-sdk Ruby). Amazon , - ? ...

+4

amazon-s3 amazon-web-services

bkocik 26 . '15 12:20

1

William Antonio Guzmán Bernal · Answer 1 · 2018-02-28T03:24:38+0000

( ):

"Resource": "arn:aws:s3:::<my-bucket>/*"

:

"Resource": ["arn:aws:s3:::<my-bucket>", "arn:aws:s3:::<my-bucket>/*",]

"Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"},

:

"Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"},

Does AmazonS3FullAccess managed policy in group not give S3 permission?

More articles: