I am experimenting with multi-region access points and their over-complicated policy syntax, and I can't get the simplest things to work.
I have 3 buckets spawned across the globa and created a single access point. All my items are private as my multi-region access point policy is not configured yet.
So far I have this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3::<my account id>:accesspoint/xyz.mrap"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "<my account id>"
}
}
}
]
}
The error indicated states:
Action does not apply to any resource(s) in statement
Their example uses "Action" : "*", but I want to limit this.
Can anyone help out what is wrong with my policy?
s3:GetObject applies to objects only. Your arn:aws:s3::<my account id>:accesspoint/xyz.mrap represents access point, not its objects. Thus it should be:
"Resource": [
"arn:aws:s3::<my account id>:accesspoint/xyz.mrap/*"
],