AWS IAM Policy for allowing s3cmd to sync to an S3 bucket

It’s a good idea to set an IAM access policy for anything that accesses AWS using your account details, I wanted to do this for s3cmd syncing a local directory to an s3 bucket. There are a number of posts on setting up the IAM policy for s3cmd already but none of the examples worked, I got a 403 permission denied error when running the s3cmd sync command.

After some digging it turns out that s3cmd now tries to set an ACL on the files it uploads, and this needs to be specifically allowed in the ACL. I’m guessing that it didn’t in the past, hence the now incorrect IAM advice. So here is the new working IAM policy, complete with the s3:PutObjectAcl permission added:

(See jrantil’s comment below on wether s3:ListAllMyBuckets is needed in this instance)

"Version": "2012-10-17",
"Statement": [
"Sid": "Stmt1397834652000",
"Effect": "Allow",
"Action": [
"Resource": [
"Sid": "Stmt1397834745000",
"Effect": "Allow",
"Action": [
"Resource": [

view raw


hosted with ❤ by GitHub

9 thoughts on “AWS IAM Policy for allowing s3cmd to sync to an S3 bucket

  1. jrantil says:

    Hm, just making sure here, why is listing all buckets required?

  2. Will Jessop says:

    It’s so long ago that I forget. It may be that s3cmd sync requires it, but if you test it and find that it isn’t I’d be happy to know.

  3. Laxman SR says:


    Work perfectly for me. thanks a lots.

  4. bfredit says:

    This works great with `aws s3 sync` as well!

  5. I can confirm that the policy without s3:ListAllMyBuckets works for aws s3 sync.

  6. You’ll want to add “s3:DeleteObject” to be able to delete files, e.g.: when using `–delete-removed –force` to keep the destination bucket clean.

  7. Will says:

    The minimum which actually worked for me using aws s3 sync –delete

    – PolicyName: “s3SyncTaskPolicy”
    Version: 2012-10-17
    – Effect: Allow
    – s3:DeleteObject
    – s3:ListBucket
    – s3:GetObject
    – s3:GetBucketLocation
    – s3:PutObject
    – s3:PutObjectAcl
    – “arn:aws:s3:::bucketname”
    – “arn:aws:s3:::bucketname/*”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: