AWS Certified Security - Specialty: Troubleshooting a Bucket Policy Error

Rectifying "Action does not apply to any resource(s) in statement.”

Question

You are creating a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy as follows: { "ID": "Policy1502987489630", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1502987487640", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Effect": "Allow", "Resource": "arn:aws:s3:::appbucket", "Principal": "*" } ] } But when you try to apply the policy, you get the error "Action does not apply to any resource(s) in statement.” What should be done to rectify the error?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

When you define access to objects in a bucket, you need to ensure that you specify which objects in the bucket access need to be given.

In this case, the * can be used to assign the permission to all objects in the bucket.

Option A is invalid because the right permissions are already provided as per the question requirement.

Option B is invalid because it is not necessary that the policy has the same name as the bucket.

Option D is invalid because this should be the default flow for applying the policy.

For more information on bucket policies please visit the below URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

The error message "Action does not apply to any resource(s) in statement" indicates that there is a problem with the Resource section of the policy. This error message means that the policy has specified an action but not provided any resource to apply that action to.

In this case, the Resource section only specifies the ARN of the bucket, which is not sufficient to allow users to access objects in the bucket. To fix this error, you need to modify the Resource section of the policy to include the objects in the bucket.

Option C, "Change the Resource section to "arn:aws:s3:::appbucket/"," is the correct answer because it adds the wildcard character () at the end of the ARN to allow access to all objects within the appbucket.

Option A, "Change the IAM permissions by applying PutBucketPolicy permissions" is not the correct answer because the issue is not with the IAM permissions but with the bucket policy itself.

Option B, "Verify that the policy has the same name as the bucket name. If not, make it the same" is not the correct answer because the policy name and the bucket name do not have to be the same for the policy to work.

Option D, "Create the bucket "appbucket" and then apply the policy" is not the correct answer because the bucket already exists, and the error is with the policy, not the bucket.