Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)

Question

I have an AWS root user which I used to create a S3 bucket on Amazon.
Now I want to make this bucket public by adding following policy:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<my bucket name>/*"
   }]
}

Where <my bucket name> is the name of the bucket. When I try to save this policy I get a 403 access denied.

I tried explicitly setting the s3:PutBucketPolicy permission but it still gives a 403. Anybody knows why?

This is the image error:

Answer 1

This error occurs if

1. You have ACL controls enabled for your bucket (which is not recommended by AWS), AND
2. Your AWS S3 public access settings disable updating the policy.

That's why most of the solutions listed here instruct you to turn off the S3 Public Access Settings to update the bucket policy.

If you want to update your S3 Bucket policy using Cloudformation without manually turning off S3 Public Access Settings each time, you'll need to turn off ACL controls for your bucket.

How to turn off ACL controls for your bucket:

• Set ownership controls to BucketOwnerEnforced as in

  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: <your bucket name>
      OwnershipControls:
        Rules:
        - ObjectOwnership: BucketOwnerEnforced

After making this change, access to your bucket is fully managed by policies and not ACLs, and Cloudformation can now update the policy without first going through the AWS S3 Public Access Settings.

NOTE: If your bucket relies heavily on ACLs to control access, then be sure you test your policies so that you don't accidentally give access to something you didn't intend.

Please read through AWS's documentation, here for discussion around disabling ACLs and possible unintended consequences.

Answer 2

call this before using putBucketPolicy:

await s3.putPublicAccessBlock({
      Bucket: bucket_name,
      PublicAccessBlockConfiguration: {
        BlockPublicAcls: false,
        IgnorePublicAcls: false,
        BlockPublicPolicy: false,
        RestrictPublicBuckets: false
      }
    }).promise();

Answer 3

Just in case anyone is reading this and using Terraform, you have to first use this resource when creating any public policy:

resource "aws_s3_bucket_public_access_block" "example" {
    bucket = aws_s3_bucket.example.id

    block_public_acls       = false
    block_public_policy     = false
}

Answer 4

2023 Update: cdk created bucket

In case someone comes here trying to deploy a bucket: I needed to add blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,

  const siteBucket = new Bucket(stack, BUCKET_ID, {
    bucketName: `${BUCKET_NAME}-${buildConfig.Environment}`,
    publicReadAccess: true,
    blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
    removalPolicy: RemovalPolicy.DESTROY,
    websiteIndexDocument: 'index.html',
  })

Answer 5

If deploying via CloudFormation or AWS SAM, you need to explicitly allow the bucket to be public like so:

  MyExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicPolicy: false
        RestrictPublicBuckets: false

Then you can specify an AWS::S3::BucketPolicy that allows public access.

Answer 6

The original blog post on block public access (https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) explains the observed behavior.

It appears you have created the bucket via the console, which means 'block public access' rules are on by default. This includes 'block public access to buckets and objects granted through new public bucket policies'. This option "disallows ... public bucket policies, and ... future PUT requests that include them will fail." This is the exact error described.

Since you are attempting to use a bucket policy, not an ACL, you would need to disable 'block public access to buckets and objects granted through new public bucket policies'. Uncheck that block option and your put will be successful.
This presumes that you have the ability to unblock public access at the account level.

Note that since April 2023, the means by which you create the bucket no longer influences this behavior, see https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/. The block behavior is the same whether a bucket is created via console, CLI, SDK, CloudFormation, CDK, etc.

Answer 7

For folks struggling with this error using aws-cdk and already existing bucket:

Take a look if you are not trying to modify bucket policy when you have set "blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL" or any other blocking s3.BlockPublicAccess in Bucket properties.

You have to turn it off or remove that property if you want to modify the policy. After deploying (modifying) policy you can set the blockPublicAccess property back again.

Answer 8

I've tried creating a new bucket and by setting the following permission parameters unchecked (false) the bucket policy can now be adjusted to make the bucket objects public. Afterwards I ticked off the four previous checkboxes and now it works.

permissions

Answer 9

Uncheck 2 rows for fixing the access denied. But please remember reading it clearly and consider it before you create a new bucket. Permission is really important.