How to create a public Multi-Region Access Point policy?

Question

I am experimenting with multi-region access points and their over-complicated policy syntax, and I can't get the simplest things to work.

I have 3 buckets spawned across the globa and created a single access point. All my items are private as my multi-region access point policy is not configured yet.

So far I have this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3::<my account id>:accesspoint/xyz.mrap"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:DataAccessPointAccount": "<my account id>"
                }
            }
        }
    ]
}

The error indicated states:

Action does not apply to any resource(s) in statement

Their example uses "Action" : "*", but I want to limit this.

Can anyone help out what is wrong with my policy?

score 3 · Answer 1 · answered Apr 17 '22 at 18:09

Per docs, the access point policy needs the /object/* prefix:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3::123456789012:accesspoint/xyz.mrap",
                "arn:aws:s3::123456789012:accesspoint/xyz.mrap/object/*"
            ]
        }
    ]
}

It looks like you are trying to grant public access with a principal of "AWS": "*", the steps to review:

Ensure your MRAP is created with public access block off
Delegate permissions from your buckets up to your MRAP, per this guide, ensuring the bucket is not getting in the way
Create the MRAP Policy to suit

What about the buckets, are they created with public access block off too? By `off` I guess you mean `true`. — charles uneze, Aug 01 '23 at 14:10

score 2 · Accepted Answer · answered Jan 30 '22 at 04:33

2

s3:GetObject applies to objects only. Your arn:aws:s3::<my account id>:accesspoint/xyz.mrap represents access point, not its objects. Thus it should be:

            "Resource": [
                "arn:aws:s3::<my account id>:accesspoint/xyz.mrap/*"
            ],

answered Jan 30 '22 at 04:33

Marcin

215,873
14
235
294

Thanks! I tried the resource, and `"Action": "*",` and it still says: `Policy has invalid resource`. I copied the ARN from above the policy input field and added `/*`, so no typo. – HelloWorld Jan 30 '22 at 05:02
1

It seems to continue without the /* though. Now it's an access denied, so I accept your answer and go further down the rabbit hole. Thanks again! – HelloWorld Jan 30 '22 at 05:10

How to create a public Multi-Region Access Point policy?

2 Answers2

Linked