Does the user executing sync from an ec2 instance to an S3 bucket need to have access to the entire S3 tree?

Put works just fine (local file up to S3), but sync gives a 403 from S3 unless the user (via IAM) has full access to all S3.

 

s3cmd put —recursive /mnt/incoming/ s3://bucket/incoming/
/mnt/incoming/file3.txt -> s3://bucket/incoming/file3.txt [1 of 1]

but

s3cmd sync —recursive /mnt/incoming/ s3://bucket/incoming/
ERROR: S3 error: 403 (AccessDenied): Access Denied

It seems related to the bucket the user has permissions to?

So put will work, but sync not if the policy (via IAM) is “Resource”: “arn:aws:s3:::bucket/incoming/*”

If you change it to your entire S3 bucket range sync does work: “Resource”: “arn:aws:s3:::*”

 

which if true is an issue since that opens things up way to far. Can anyone else confirm