AWS returning 403 instead of 404 when object not found

Question

I am using IAM role to access S3 and if object is not found then S3 is returning 403. I can see below code in AmazonS3Client. It doesn't cater to 403 and exception is passed to client.

public boolean doesObjectExist(String bucketName, String objectName) throws AmazonServiceException, SdkClientException {
    try {
        this.getObjectMetadata(bucketName, objectName);
        return true;
    } catch (AmazonS3Exception var4) {
        if (var4.getStatusCode() == 404) {
            return false;
        } else {
            throw var4;
        }
    }
}

Below is the policy for IAM role.

{
   "Statement":[
      {
         "Action":[
            "s3:List*"
         ],
         "Resource":"arn:aws:s3:::bucket_name",
         "Effect":"Allow"
      },
      {
         "Action":[
            "s3:Get*",
            "s3:PutObject*",
            "s3:DeleteObject*",
         ],
         "Resource":"arn:aws:s3:::bucket_name/*",
         "Effect":"Allow"
      }
   ]
}

I read somewhere that if object is not found then aws try list and if list permission is not available then throws 403 error.

My question is - what exact change I can do in policy that will stop 403. It is govt client and takes lot of time for any change. if you can help me with precise policy change then it will be great help. My guess is "s3:ListBucket" I am not able to replicate it locally as I can't use IAM role and on other environments I don't have permissions.

edit: I already got "s3:List*" for bucket resource. How adding S3:ListBucket to bucket/* will help?

Answer 1

Please check the answer to this question How do I have an S3 bucket return 404 (instead of 403) for a key that does not exist in the bucket/

It explains why S3 returns 403 instead of 404 when you don’t have access to the bucket (hint : to not disclose information to malicious users)

The solution is to receive the permission for the ListBucker API as you suggested.

In ‘Actions’ add ‘S3:ListBucket’