S3 TVM Issue – getting access denied

Question

I'm trying to let my iOS app upload to S3 using credentials it gets from a slightly modified anonymous token vending machine.

The policy statement my token vending machine returns is:

{"Statement":
    [
        {"Effect":"Allow",
         "Action":"s3:*",
         "Resource":"arn:aws:s3:::my-bucket-test",
         "Condition": {
            "StringLike": {
                "s3:prefix": "66-*"
            }
         }
        },
        {"Effect":"Deny","Action":"sdb:*","Resource":["arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/__USERS_DOMAIN__","arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/TokenVendingMachine_DEVICES"]},
        {"Effect":"Deny","Action":"iam:*","Resource":"*"}
    ]
}

The object I'm trying to put has the same bucket name and key 66-3315F11E-84FA-417F-9C32-AC4BE364AD99.natural.mp4.

As far as I understand this should work fine, but it doesn't, and throws an access denied message. Is there anything wrong with my policy statement?

Answer 1

You don't need to use prefix to refer to the resource for the context of Object operations. I'd also recommend restricting the S3 actions. Here is a recommend policy, based on the one from an article on an S3 Personal File Store. Feel free to remove the ListBucket if it doesn't make sense for you app.

{"Statement":
    [
        {"Effect":"Allow",
         "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject"],
         "Resource":"arn:aws:s3:::my-bucket-test/66-*",
        },
        {"Effect":"Allow",
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:::my-bucket-test",
         "Condition":{
              "StringLike":{
                   "s3:prefix":"66-*"
              }
         }
        },  
        {"Effect":"Deny","Action":"sdb:*","Resource":["arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/__USERS_DOMAIN__","arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/TokenVendingMachine_DEVICES"]},
        {"Effect":"Deny","Action":"iam:*","Resource":"*"}
    ]
 }