- Newest
- Most votes
- Most comments
In the Deny statement, the Principal field is empty (""). It's generally a best practice to specify the principal even in Deny statements. Try updating it to "*" to explicitly deny access to any principal.
{
"Sid":"DenyAllExcept",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:",
"Resource":[
"arn:aws:s3:::AAA-aws-flow-logs/*",
"arn:aws:s3:::AAA-aws-flow-logs"
],
"Condition":{
"NotIpAddress":{
"aws:SourceIp":[
"1.2.3.4",
"5.6.7.8"
]
}
}
}
Hello,
Warm Greetings from AWS Premium Support. I hope you're doing well.
Thank you for reaching out to us with your concern. Firstly, I checked the Policy attached with the case notes, When I replicated in my lab environment I get Invalid principal format: The Principal element contents are not valid. Specify a key-value pair in the Principal element.
This is because, I can see that in "DenyAllExcept" statement, the Principal field is empty (""). As per AWS Policy, we need to specify key-value pair in the Principal element. Hence I would suggest you to enter the respective value anf try again.
{ "Sid":"DenyAllExcept", "Effect":"Deny", "Principal":"", "Action":"s3:", "Resource":[ "arn:aws:s3:::AAA-aws-flow-logs/", "arn:aws:s3:::AAA-aws-flow-logs" ], "Condition":{ "NotIpAddress":{ "aws:SourceIp":[ "1.2.3.4", "5.6.7.8" ] } } }
Incase If you face any error after making the change, Kindly share the error message. To view the exact error message, you can use cloudtrail to check the exact error message. Once, you get the error, kindly reach back to us , we will troubleshoot the issue further.
Hi,
Thank you for looking into it. The principal statement is not empty and has a star for everything as it is indicated in a policy. Policy applies without any issues.
Regards
Relevant content
- asked 4 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
