I was deploying an IAM user policy using AWS CloudFormation and granted CRUD access to the bucket, but the user could not rename or move a file using the web console.
I was trying to move files and kept getting denied. Then I simply tried renaming files and also got an access denied. I was able to upload and delete files though.
I looked at CloudTrail, and there was no obvious access denied.
I enabled S3 full control s:*, but I was still getting the same error.
I then tried to rename and move files using the CLI, which worked just fine.
Finally, I opened the IAM visual editor and created an entirely new policy for the user, which worked. After inspecting the policy, I noticed some permissions were scoped to the * resource, and not scoped to any ARN. After I added those to my CloudFormation, the user was able to move files using the web console.
1 | # S3 CRUD policy |
1 | # Additional S3 Permissions |
After some testing, turns out that s3:ListAllMyBuckets permission is required to be able to move and rename files using the web UI!
1 | - Effect: Allow |
This is weird because you might not want to list all your buckets if you have multiple clients/departments on the same account.
I hope this helps someone :)