Reputation: 1063
I have an AWS root user which I used to create a S3 bucket on Amazon.
Now I want to make this bucket public by adding following policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<my bucket name>/*"
}]
}
Where <my bucket name>
is the name of the bucket. When I try to save this policy I get a 403 access denied.
I tried explicitly setting the s3:PutBucketPolicy
permission but it still gives a 403. Anybody knows why?
This is the image error:
Upvotes: 37
Views: 54795
Reputation: 1312
This error occurs if
That's why most of the solutions listed here instruct you to turn off the S3 Public Access Settings to update the bucket policy.
If you want to update your S3 Bucket policy using Cloudformation without manually turning off S3 Public Access Settings each time, you'll need to turn off ACL controls for your bucket.
How to turn off ACL controls for your bucket:
BucketOwnerEnforced
as in S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: <your bucket name>
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
After making this change, access to your bucket is fully managed by policies and not ACLs, and Cloudformation can now update the policy without first going through the AWS S3 Public Access Settings.
NOTE: If your bucket relies heavily on ACLs to control access, then be sure you test your policies so that you don't accidentally give access to something you didn't intend.
Please read through AWS's documentation, here for discussion around disabling ACLs and possible unintended consequences.
Upvotes: 0
Reputation: 11
call this before using putBucketPolicy:
await s3.putPublicAccessBlock({
Bucket: bucket_name,
PublicAccessBlockConfiguration: {
BlockPublicAcls: false,
IgnorePublicAcls: false,
BlockPublicPolicy: false,
RestrictPublicBuckets: false
}
}).promise();
Upvotes: 2
Reputation: 131
Just in case anyone is reading this and using Terraform, you have to first use this resource when creating any public policy:
resource "aws_s3_bucket_public_access_block" "example" {
bucket = aws_s3_bucket.example.id
block_public_acls = false
block_public_policy = false
}
Upvotes: 3
Reputation: 2421
In case someone comes here trying to deploy a bucket:
I needed to add blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
const siteBucket = new Bucket(stack, BUCKET_ID, {
bucketName: `${BUCKET_NAME}-${buildConfig.Environment}`,
publicReadAccess: true,
blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
removalPolicy: RemovalPolicy.DESTROY,
websiteIndexDocument: 'index.html',
})
Upvotes: 2
Reputation: 2695
If deploying via CloudFormation or AWS SAM, you need to explicitly allow the bucket to be public like so:
MyExampleBucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicPolicy: false
RestrictPublicBuckets: false
Then you can specify an AWS::S3::BucketPolicy that allows public access.
Upvotes: 26
Reputation: 1261
The original blog post on block public access (https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) explains the observed behavior.
It appears you have created the bucket via the console, which means 'block public access' rules are on by default. This includes 'block public access to buckets and objects granted through new public bucket policies'. This option "disallows ... public bucket policies, and ... future PUT requests that include them will fail." This is the exact error described.
Since you are attempting to use a bucket policy, not an ACL, you would need to disable 'block public access to buckets and objects granted through new public bucket policies'. Uncheck that block option and your put will be successful.
This presumes that you have the ability to unblock public access at the account level.
Note that since April 2023, the means by which you create the bucket no longer influences this behavior, see https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/. The block behavior is the same whether a bucket is created via console, CLI, SDK, CloudFormation, CDK, etc.
Upvotes: 0
Reputation: 549
For folks struggling with this error using aws-cdk and already existing bucket:
Take a look if you are not trying to modify bucket policy when you have set "blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL"
or any other blocking s3.BlockPublicAccess
in Bucket properties.
You have to turn it off or remove that property if you want to modify the policy. After deploying (modifying) policy you can set the blockPublicAccess
property back again.
Upvotes: 6
Reputation: 1063
I've tried creating a new bucket and by setting the following permission parameters unchecked (false) the bucket policy can now be adjusted to make the bucket objects public. Afterwards I ticked off the four previous checkboxes and now it works.
Upvotes: 6
Reputation: 1603
Uncheck 2 rows for fixing the access denied. But please remember reading it clearly and consider it before you create a new bucket. Permission is really important.
Upvotes: 37