S3 policy to perform move action

Question

Which permission needed to perform move action on objects within the same S3 bucket?

To clarify, we have a bucket named BCK and two folders inside named DIR1 & DIR2. An IAM user needs to move objects within DIR1 to DIR2 and when they perform the action from the management console management they get the an error "access denied".

The only policy attached to the user is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:ListBucketVersions"
            ],
            "Resource": [
                "arn:aws:s3:::BCK/*",
                "arn:aws:s3:::BCK"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

Answer 1

There is no "move" command in Amazon S3. Instead, it requires a combination of CopyObject and DeleteObject. You have already provided these permissions.

The Amazon S3 management console also performs additional steps during the copy operation, such as viewing/setting permissions on each object. Therefore, add these permissions:

• s3:GetObjectAcl
• s3:PutObjectAcl