Getting 'The policy failed legacy parsing' when creating an AWS/IAM policy

Question

I'm trying to create a policy, whose JSON is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "kms:UntagResource",
                "kms:ListKeyPolicies",
                "kms:ListRetirableGrants",
                "kms:GetKeyPolicy",
                "iam:ListRoles",
                "kms:ListResourceTags",
                "iam:ListInstanceProfiles",
                "kms:ListGrants",
                "kms:GetParametersForImport",
                "kms:DescribeCustomKeyStores",
                "kms:ListKeys",
                "kms:TagResource",
                "s3:ListAllMyBuckets",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:DescribeKey",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::644748426467:"
        }
    ]
}

But when I click on Review Policy, I get The policy failed legacy parsing (see screenshot below).

Any idea what my wrong syntax is?

Edit 1:

The following gives the same The policy failed legacy parsing error:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "kms:ListKeyPolicies",
                "kms:UntagResource",
                "kms:ListRetirableGrants",
                "kms:GetKeyPolicy",
                "iam:ListRoles",
                "kms:ListResourceTags",
                "iam:ListInstanceProfiles",
                "kms:ListGrants",
                "kms:GetParametersForImport",
                "kms:DescribeCustomKeyStores",
                "kms:ListKeys",
                "kms:TagResource",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

I've tested this policy and it worked perfectly, do you have any other policy attach to this specific role? — Amit Baranes, Oct 29 '19 at 20:16
@Amit, see `Edit 1`. There's no other policy attached to this role. — boardrider, Oct 29 '19 at 20:29

boardrider · Answer 1 · 2019-10-30T16:46:31.360

I figured out the correct format for the policy.

When entering resources from the IAM/edit-policy GUI, the resulting JSON is updated with a wrong format.
The correct format for S3 permissions should be arn:aws:s3:::xxxxxx and not arn:aws:::xxxxxx:.
Note that when one enters, manually, the correctly formatted S3 resource in the JSON, the GUI would display a warning.

This is my working JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:GetParametersForImport",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ListKeyPolicies",
                "kms:ListRetirableGrants",
                "kms:GetKeyRotationStatus",
                "kms:GetKeyPolicy",
                "cloudtrail:CreateTrail",
                "kms:DescribeKey",
                "s3:ListBucket",
                "kms:ListResourceTags",
                "kms:ListGrants"
            ],
            "Resource": [
                "arn:aws:s3:::644748xxxxxx",
                "arn:aws:kms:*:644748xxxxxx:key/*",
                "arn:aws:kms:*:644748xxxxxx:alias/*",
                "arn:aws:cloudtrail:::*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "kms:DescribeCustomKeyStores",
                "kms:ListKeys",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:CreateServiceLinkedRole",
                "kms:ListAliases",
                "iam:ListRoles",
                "iam:ListRolePolicies",
                "iam:ListInstanceProfiles"
            ],
            "Resource": "*"
        }
    ]
}

Getting 'The policy failed legacy parsing' when creating an AWS/IAM policy

Edit 1:

1 Answers1