I have created a policy that allows access to a single S3 bucket in my account. I then created a group that has only this policy and a user that is part of that group.

The user can view, delete and upload files to the bucket, as expected. However, the user does not seem to be able to grant public read access to uploaded files.

When the Grant public read access to this object(s) option is selected, the upload fails.

The bucket is hosting a static website and I want to allow the frontend developer to upload files and make them public.

The policy for the user role is below:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": "arn:aws:s3:::my-bucket"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

This is what happens when the IAM user tries to grant public access to the uploaded file:

The proxy error seems unrelated, but essentially the upload is stuck and nothing happens. If they don't select the Grant public access option, the upload goes through immediately (despite the proxy error showing up as well).

To reproduce your situation, I did the following:

• Created a new Amazon S3 bucket with default settings (Block Public Access = On)
• Created an IAM User (with no policies attached)
• Created an IAM Group (with no policies attached)
• Added the IAM User to the IAM Group
• Attached your policy (from the Question) to the IAM Group (updating the bucket name) as an inline policy
• Logged into the Amazon S3 management console as the new IAM User

At this point, the user received an Access Denied error because they were not permitted to list all Amazon S3 buckets. Thus, the console was not usable.

Instead, I ran this AWS CLI command:

aws s3 cp foo.txt s3://new-bucket/ --acl public-read

The result was:

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

However, the operation succeeded with:

aws s3 cp foo.txt s3://new-bucket/

This means that the --acl is the component that was denied.

I then went to Block Public Access for the bucket and turned OFF the option called "Block public access to buckets and objects granted through new access control lists (ACLs)". My settings were:

I then ran this command again:

aws s3 cp foo.txt s3://new-bucket/ --acl public-read

It worked!

To verify this, I went back into Block Public Access and turned ON all options (via the top checkbox). I re-ran the command and it was Access Denied again, confirming that the cause was the Block Public Access setting.

Bottom line: Turn off the first Block Public Access setting.

You can do it through AWS CLI Update object's ACL

Option 1: object that's already stored on Amazon S3, you can run this command to update the ACL for public read access:

aws s3api put-object-acl --bucket <<S3 Bucket Name>> --key <<object>> --acl public-read

Option 2: Run this command to grant full control of the object to the AWS account owner and read access to everyone else:

aws s3api put-object-acl --bucket <<S3 Bucket Name>> --key <<object>> --grant-full-control emailaddress=<<[email protected]>> --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

I found that certain actions (like renaming an object) will fail when executed from the console (but will succeed from the CLI!) when ListAllMyBuckets is not granted for all s3 resources. Adding the following to the IAM policy resolved the issue:

 {
      "Sid": "AccessS3Console",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    }

Some of the actions I tested that failed from the console but succeeded from CLI:

• Renaming an object. The console displays "Error - Failed to rename the file to ". Workaround: deleting and re-uploading the object with a new name.
• Uploading an object with "Grant public read access to this object(s)". The console's status bar shows that the operation is stuck in "in progress". Workaround: Uploading the object without granting public read access, and then right clicking on it and selecting "Make public".

I experienced these issues after following the instructions here https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/ which describe how to restrict access to a single bucket (and preventing seeing the full list of buckets in the account). The post didn't mention the caveats.

To limit a user's Amazon S3 console access to only a certain bucket or folder (prefix), change the following in the user's AWS Identity and Access Management (IAM) permissions:

1. Remove permission to the s3:ListAllMyBuckets action.
2. Add permission to s3:ListBucket only for the bucket or folder that you want the user to access. Note: To allow the user to upload and download objects from the bucket or folder, you must also include s3:PutObject and s3:GetObject.

Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The user must access the bucket using a direct console link to the bucket or folder.