From 7098388ee4c897b33fd6f2db6562a64deadc3319 Mon Sep 17 00:00:00 2001
From: Thomas Schaaf <schaaf@komola.de>
Date: Fri, 1 Sep 2023 09:06:19 +0200
Subject: [PATCH] IAM policies: allow s3 accesspoint arns (#6743)

---
 moto/iam/policy_validation.py       | 44 +++++++++++++++++++++--------
 tests/test_iam/test_iam_policies.py | 14 +++++++++
 2 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/moto/iam/policy_validation.py b/moto/iam/policy_validation.py
index eff39e3a4..cc2516ac0 100644
--- a/moto/iam/policy_validation.py
+++ b/moto/iam/policy_validation.py
@@ -56,11 +56,17 @@ VALID_CONDITION_PREFIXES = ["ForAnyValue:", "ForAllValues:"]
 
 VALID_CONDITION_POSTFIXES = ["IfExists"]
 
-SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS = {
-    "iam": "IAM resource {resource} cannot contain region information.",
-    "s3": "Resource {resource} can not contain region information.",
+SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS: Dict[str, Any] = {
+    "iam": {
+        "error_message": "IAM resource {resource} cannot contain region information."
+    },
+    "s3": {
+        "error_message": "Resource {resource} can not contain region information.",
+        "valid_starting_values": ["accesspoint/"],
+    },
 }
 
+
 VALID_RESOURCE_PATH_STARTING_VALUES: Dict[str, Any] = {
     "iam": {
         "values": [
@@ -375,20 +381,34 @@ class BaseIAMPolicyValidator:
             resource_partitions = resource_partitions[2].partition(":")
 
             service = resource_partitions[0]
+            region = resource_partitions[2]
+            resource_partitions = resource_partitions[2].partition(":")
+
+            resource_partitions = resource_partitions[2].partition(":")
+            resource_id = resource_partitions[2]
 
             if (
                 service in SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS.keys()
-                and not resource_partitions[2].startswith(":")
+                and not region.startswith(":")
             ):
-                self._resource_error = (
-                    SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service].format(
-                        resource=resource
-                    )
-                )
-                return
+                valid_start = False
 
-            resource_partitions = resource_partitions[2].partition(":")
-            resource_partitions = resource_partitions[2].partition(":")
+                for (
+                    valid_starting_value
+                ) in SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service].get(
+                    "valid_starting_values", []
+                ):
+                    if resource_id.startswith(valid_starting_value):
+                        valid_start = True
+                        break
+
+                if not valid_start:
+                    self._resource_error = (
+                        SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service][
+                            "error_message"
+                        ].format(resource=resource)
+                    )
+                    return
 
             if service in VALID_RESOURCE_PATH_STARTING_VALUES.keys():
                 valid_start = False
diff --git a/tests/test_iam/test_iam_policies.py b/tests/test_iam/test_iam_policies.py
index b7ffe8984..6f917718b 100644
--- a/tests/test_iam/test_iam_policies.py
+++ b/tests/test_iam/test_iam_policies.py
@@ -1607,6 +1607,20 @@ valid_policy_documents = [
             },
         ],
     },
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "",
+                "Effect": "Allow",
+                "Action": ["s3:*"],
+                "Resource": [
+                    "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point",
+                    "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/*",
+                ],
+            },
+        ],
+    },
 ]