- Newest
- Most votes
- Most comments
Hello.
Can I configure it by operating from the management console instead of CDK?
I did a little search for issues on GitHub, but couldn't find any similar reports.
Since it may be a bug, why not report it as an issue?
https://github.com/aws/aws-cdk/issues
You may be able to check a more detailed error in "ListBuckets" from CloudTrail's event history.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
I also can't see anything wrong with the policy definition. s3:ListBucket
isn't an API but a permission, which permits several APIs, such as ListObjects
, ListObjectsV2
, and HeadBucket
. They are considered as data operations, so they won't show in the default CloudTrail trail only containing management events.
The only thing I can see that would obviously refuse the operation but permit it with the AmazonS3FullAccess policy attached would be if the bucket resided in a different AWS account, since the policy used the aws:ResourceAccount
condition key to ensure it's in the local account, while AmazonS3FullAccess would allow access to any target account.
The best thing to do would be to enable data event logging for S3 in CloudTrail (https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging.html). The logs would easily show exactly what is attempted details about the context in which it's being blocked.
You could also extract the policy from the IAM console after deploying it with CDK to confirm that the output is as expected, such as containing the correct bucket ARN and account ID. These are not very likely to be wrong, but it's a simple sanity check to make.
Relevant content
- asked 2 years ago
- asked 9 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago