I'm experiencing difficulties with an AWS IAM policy intended to grant s3:PutObject permissions for a specific S3 bucket named examplebucket. The policy works as expected when using a wildcard for the resource, but fails when I specify the bucket directly, affecting both the AWS IAM Policy Simulator and my desktop application.
Working Policy (with wildcard resource):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "*"
}
]
}
and this fails the simulator:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
The policy with "Resource": "*" successfully allows s3:PutObject operations in both the AWS IAM Policy Simulator and my desktop app (DART by APTrust). However, refining the policy to target examplebucket specifically seems to prevent the policy from allowing the same action.
Context:
examplebucket exists and is correctly named in my policy.
AWS Block Public Access is enabled on examplebucket, with no conflicting bucket policies in place as far as I can tell.
My aim is to apply the principle of least privilege by limiting the policy scope to necessary resources.
Questions:
What could be causing the failure in the more specific policy where examplebucket is directly targeted for s3:PutObject permissions?
Are there overlooked aspects or additional configurations needed when specifying a single bucket in IAM policies for s3:PutObject actions?