CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
Carlo S
Carlo S

Reputation: 983

AWS S3 upload fails with ACL public-true

I have this simple script in Ruby to upload a file on S3 I got from AWS documentation:

def object_uploaded?(s3_resource, bucket_name, object_key, file_path)
  object = s3_resource.bucket(bucket_name).object(object_key)
  File.open(file_path, 'rb') do |file|
    object.put(body: file, acl: 'public-read')
  end
  return true
rescue StandardError => e
  puts "Error uploading object: #{e.message}"
  return false
end

The script gives me Access Denied when i add acl: 'public-read'. Works fine if I remove that.

Only way for this to work is to make my S3 bucket public. enter image description here

This is my bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1610635552932",
    "Statement": [
        {
            "Sid": "Stmt1610635551842",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[mybucket]/*"
        }
    ]
}

And this is my IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListStorageLensConfigurations",
                "s3:GetAccessPoint",
                "s3:PutAccountPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints",
                "s3:ListJobs",
                "s3:PutStorageLensConfiguration",
                "s3:CreateJob"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::[mybucket]",
                "arn:aws:s3:::[mybucket]/*"
            ]
        }
    ]
}

Is there any way I can turn on Block public access as recommended by AWS and have public accessible files by setting the acl? What is wrong with my policy?

Upvotes: 0

Views: 1131

Answers (1)

user9367311
user9367311

Reputation:

You cannot upload a file with ACL public-read if the bucket's block public access setting is on. Per the documentation: "Amazon S3 block public access prevents the application of any settings that allow public access to data within S3 buckets." (https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access.html)

Upvotes: 0

Related Questions