Solve - S3 Action Does Not Apply to any Resources Error

Solving - S3 Action Does Not Apply to any Resources Error #

The "Action Does Not Apply to any Resources" S3 error occurs, because we're trying to attach a bucket policy with statements, where the specified Action is not applicable to the specified Resource.

Actions, whose name includes the word Bucket (ListBucket, GetBucketPolicy, GetBucketAcl) should be applied to a Resource of the bucket's ARN (arn:aws:s3:::my-bucket)

Whereas actions, whose names include the word Object (GetObject, PutObject, DeleteObject) should be applied to resources inside of the bucket (arn:aws:s3:::my-bucket/*).

To solve the "Action Does Not Apply to any Resources" error, set the Resource field of Bucket specific actions to the bucket's ARN (arn:aws:s3:::my-bucket) and the Resource field of Object specific actions an ARN inside the bucket (arn:aws:s3:::my-bucket/*).

The following bucket policy grants the ListBucket and GetObject actions in two separate policy statements, because the Actions are applied to different Resources.

Copied!
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Principal": {
        "AWS": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:user/YOUR_USERNAME"
      },
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
    }
  ]
}

In the bucket policy example, we have 2 policy statements:

1. Allows the GetObject action to all users (makes the bucket publicly readable). Notice that the GetObject action is applied on all resources inside of the bucket - arn:aws:s3:::YOUR_BUCKET_NAME/*

2. Allows the ListBucket action to a specific IAM user. Notice that the ListBucket action is applied on the bucket itself arn:aws:s3:::YOUR_BUCKET_NAME

If you were to add more actions that include Bucket, e.g. ListBucketMultipartUploads or ListBucketVersions they would have to have the plain bucket ARN as a Resource.

Whereas if you were to add more actions that include Object, e.g. PutObject or DeleteObject the Resource would have to be a path inside the bucket.

The easiest way to determine what the Resource field should look like is to look at the AWS S3 Actions table.

You can use ctrl + f to search for a specific action name and look at the resource type for it.

For example the ListBucket action has a Resource type of bucket:

Notice that the resource type is a hyperlink, if you click on the link the ARN that you have to specify as a Resource in the policy statement will be shown:

The ARN in the screenshot above shows the complete Resource field template for the ListBucket action. All we have to do is replace the ${Partition} placeholder with aws and the ${BucketName} with the name of the bucket.

Similarly, if we look at the GetObject action, we will see that its Resource type is object.

If we click on the hyperlink the expected ARN template for the Resource field is shown:

You can find a complete list for the Actions, Resources and condition keys for all services by clicking on the docs link.

Further Reading #

• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How does AWS CDK work
• What is a Token in AWS CDK
• CDK Constructs - Complete Guide
• What is an identifier (id) in AWS CDK
• How to use Context in AWS CDK
• How to use Parameters in AWS CDK