I have an s3 bucket where I have a policy in place to prevent anyone from getting access to the objects if they are not from my VPC, However, now when I put a lifecycle policy on the bucket it doesn't apply

Here is the current policy I have on the bucket:

{
  "Version": "2012-10-17",
  "Id": "Policy1636125293921",
  "Statement": [
      {
          "Sid": "Stmt1636125292369",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::bucketname/*",
          "Condition": {
              "StringNotEquals": {
                  "aws:SourceVPC": [
                      "vpc-0987654321",
                      "vpc-1234567890"
                  ]
              }
          }
      }
  ]
}

I have tried to add a second statement that gives full access to my user with this statement:

{
  "Sid": "Stmt1636125292368",
  "Effect": "Allow",
  "Principal": {
      "AWS": "arn:aws:iam::123456789012:user/username"
  },
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::bucketname/*"
}

I've tried a few different combinations of this second statement, but it is still not running the lifecycle policy, the policy exists and is there, but it doesn't run. Under "Object management overview" for one of the objects the Expiration date and Expiration rule remain blank, however if I remove the DENY policy, then I am able to see the Expiration date. I need that DENY policy to keep doing what it does so I cant remove that. I will also add that the user I am using has full admin permissions.

CodePudding user response：

Instead of having the Principal as "*" for the DENY statement, I replaced it with

"NotPrincipal": {
"AWS": [
    "arn:aws:iam::123456789012:user/username",
    "arn:aws:iam::123456789012:root"

The policy now denies anyone who isn't from my account, but it also allows anonymous users who are accessing the objects via the VPC to still have access. This has now allowed me to successfully run the lifecycle policy on the bucket.