Aws S3 Only PutObject Policy

Question

i'm trying to setup a Only PutObject policy to by bucket as following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt####",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

However when i try to upload a file thought AWS SDK I receive a 403 response from AWS. I'm absolutely sure to use the correct access key of the IAM user that has this policy attached to it.

Anyone knows why AWS3 complain with this policy when it shouldn't?

Edit:

After hours of trials, I came across a weird behaviour which i would like to be explained.

If I add s3:ListBucket to the above policy it just works fine. Without it, it will return a 403. Why amazon force me to put ListBucket action when i don't want to have it?

Thanks

Answer 1

Best way to troubleshoot this is to give your policy following action and resources:

"Action": [
    "s3:*"
],
"Resource": [
    "arn:aws:s3:::my-bucket",
    "arn:aws:s3:::my-bucket/*"
]

This will confirm you're using correct access key. If it goes through, you're most likely using unauthorized actions (e.g. s3:ListBucket). You can use CloudTrail to find which unauthorized actions are being called.