I have just stumbled upon an s3 bucket policy within my organisation containing multiple statements, two of which are:
{
"Sid": "ReadFromEKS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/redacted"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
{
"Sid": "ReadFromEKS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::210987654321:role/redacted"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
(These were copy/pasted from the AWS console, then I changed the bucket and role ARNs)
I am confused because my understanding was that Statement ID (Sids) had to be unique within a policy. Clearly here they are not.
Am I incorrect in my belief that Sids are unique within a policy? If that belief is not incorrect, how could this policy possibly exist?
The Sid is not required to be unique everywhere, see the docs
In IAM, the Sid value must be unique within a JSON policy.
and
Some AWS services (for example, Amazon SQS or Amazon SNS) might require this element and have uniqueness requirements for it. For service-specific information about writing policies, refer to the documentation for the service you work with.
S3 only recommends the uniqueness while IAM requires it, you can verify it by writing the policies in JSON in the AWS console and inspect the resulting warning / error.
Unfortunately I have not been able to find a documentation for S3 explicitly only recommending it, that may be because the default simply is non-unique and IAM enforces uniqueness and therefore only that is explicitly mentioned in the docs.
The example bucket policies already include a few policies with non-unique Sids.