0

s3:PutEncryptionConfiguration requires KMS permissions in the IAM policy. However, AWS IAM policy simulator does not show the same.

The simulator shows an "allow" on the following S3 policy while there are no other policies with KMS permissions. Am I missing something?

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    }
]
}

A user cannot make a bucket policy encrypted if the user does not have IAM policy that spells out access for KMS. In this case, the above S3 policy in the simulator shows allowed.

enter image description here

lft93ryt
  • 948
  • 1
  • 16
  • 32
  • Could you please clarify what you are trying to do and what error/problem you are encountering? – John Rotenstein May 11 '18 at 12:07
  • @JohnRotenstein definitely. – lft93ryt May 12 '18 at 05:29
  • Yep. It looks like the simulator is testing whether the user/group has permission to call that specific API, rather than whether the API call would complete the operation successfully. I guess it's like having permission to delete a file, but it will fail if the file isn't there. – John Rotenstein May 12 '18 at 09:31

0 Answers0