Tijl .Reynhout
Tijl .Reynhout

Reputation: 1063

Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)

I have an AWS root user which I used to create a S3 bucket on Amazon.
Now I want to make this bucket public by adding following policy:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<my bucket name>/*"
   }]
}

Where <my bucket name> is the name of the bucket. When I try to save this policy I get a 403 access denied.

I tried explicitly setting the s3:PutBucketPolicy permission but it still gives a 403. Anybody knows why?

This is the image error:

image of the aws error message

Upvotes: 37

Views: 54795

Answers (9)

Drew H
Drew H

Reputation: 1312

This error occurs if

  1. You have ACL controls enabled for your bucket (which is not recommended by AWS), AND
  2. Your AWS S3 public access settings disable updating the policy.

That's why most of the solutions listed here instruct you to turn off the S3 Public Access Settings to update the bucket policy.

If you want to update your S3 Bucket policy using Cloudformation without manually turning off S3 Public Access Settings each time, you'll need to turn off ACL controls for your bucket.

How to turn off ACL controls for your bucket:

  • Set ownership controls to BucketOwnerEnforced as in
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: <your bucket name>
      OwnershipControls:
        Rules:
        - ObjectOwnership: BucketOwnerEnforced

After making this change, access to your bucket is fully managed by policies and not ACLs, and Cloudformation can now update the policy without first going through the AWS S3 Public Access Settings.

NOTE: If your bucket relies heavily on ACLs to control access, then be sure you test your policies so that you don't accidentally give access to something you didn't intend.

Please read through AWS's documentation, here for discussion around disabling ACLs and possible unintended consequences.

Upvotes: 0

Aditya Saxena
Aditya Saxena

Reputation: 11

call this before using putBucketPolicy:

await s3.putPublicAccessBlock({
      Bucket: bucket_name,
      PublicAccessBlockConfiguration: {
        BlockPublicAcls: false,
        IgnorePublicAcls: false,
        BlockPublicPolicy: false,
        RestrictPublicBuckets: false
      }
    }).promise();

Upvotes: 2

Lorenzo Bloedow
Lorenzo Bloedow

Reputation: 131

Just in case anyone is reading this and using Terraform, you have to first use this resource when creating any public policy:

resource "aws_s3_bucket_public_access_block" "example" {
    bucket = aws_s3_bucket.example.id

    block_public_acls       = false
    block_public_policy     = false
}

Upvotes: 3

bln_dev
bln_dev

Reputation: 2421

2023 Update: cdk created bucket

In case someone comes here trying to deploy a bucket: I needed to add blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,

  const siteBucket = new Bucket(stack, BUCKET_ID, {
    bucketName: `${BUCKET_NAME}-${buildConfig.Environment}`,
    publicReadAccess: true,
    blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
    removalPolicy: RemovalPolicy.DESTROY,
    websiteIndexDocument: 'index.html',
  })

Upvotes: 2

theberzi
theberzi

Reputation: 2695

If deploying via CloudFormation or AWS SAM, you need to explicitly allow the bucket to be public like so:

  MyExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicPolicy: false
        RestrictPublicBuckets: false

Then you can specify an AWS::S3::BucketPolicy that allows public access.

Upvotes: 26

Ken Krueger
Ken Krueger

Reputation: 1261

The original blog post on block public access (https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) explains the observed behavior.

It appears you have created the bucket via the console, which means 'block public access' rules are on by default. This includes 'block public access to buckets and objects granted through new public bucket policies'. This option "disallows ... public bucket policies, and ... future PUT requests that include them will fail." This is the exact error described.

Since you are attempting to use a bucket policy, not an ACL, you would need to disable 'block public access to buckets and objects granted through new public bucket policies'. Uncheck that block option and your put will be successful.
This presumes that you have the ability to unblock public access at the account level.

Note that since April 2023, the means by which you create the bucket no longer influences this behavior, see https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/. The block behavior is the same whether a bucket is created via console, CLI, SDK, CloudFormation, CDK, etc.

Upvotes: 0

dpatryas
dpatryas

Reputation: 549

For folks struggling with this error using aws-cdk and already existing bucket:

Take a look if you are not trying to modify bucket policy when you have set "blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL" or any other blocking s3.BlockPublicAccess in Bucket properties.

You have to turn it off or remove that property if you want to modify the policy. After deploying (modifying) policy you can set the blockPublicAccess property back again.

Upvotes: 6

Tijl .Reynhout
Tijl .Reynhout

Reputation: 1063

I've tried creating a new bucket and by setting the following permission parameters unchecked (false) the bucket policy can now be adjusted to make the bucket objects public. Afterwards I ticked off the four previous checkboxes and now it works.

permissions

enter image description here

Upvotes: 6

Hữu Phong
Hữu Phong

Reputation: 1603

Capture on my AWS S3

Uncheck 2 rows for fixing the access denied. But please remember reading it clearly and consider it before you create a new bucket. Permission is really important.

Upvotes: 37

Related Questions