Just hit this little fun thing. Using the rename command for SFTP seems to use the s3:CopyObject action, which attempts to copy any object tags as well as the actual object itself.
The IAM Permission associated with the SFTP user must allow s3:GetObjectTagging and s3:PutObjectTagging or a rename command will get an Access Denied message with no other details. If no object tagging is being used, this probably isn’t necessary.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::S3_BUCKET_NAME_HERE"
},
{
"Sid": "AllowObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObjectACL",
+ "s3:PutObjectTagging",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetObjectACL",
+ "s3:GetObjectTagging",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::S3_BUCKET_NAME_HERE/*"
}
]
}
Christopher Davis 