CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
Black Swan
Black Swan

Reputation: 853

AWS S3 : access denied to object while "bucket block public access" is off

I am new to AWS. I am saving file to AWS from my Java Application. The file is being saved in the bucket, no problem with that. But the real problem is starting when trying to access them. Every time getting :

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>8B350BEBBDF0386B</RequestId>
<HostId>77cB7pybpshSC7TfDilGiPHvKfd91wI24iQJ8ach7jLIBuqOeB+hfDz7soLE1p0ZqrUyoRqgPCw=</HostId>
</Error>

I have checked the AWS setting, both my bucket and object is public. I have searched in the internet, most of the solution is talking about make ACL public, I think i already did that.

Bucket Policy:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "Allow-OAI-Access-To-Bucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*"
        },
        {
            "Sid": "Allow-Public-Access-To-Bucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*"
        },
        {
            "Sid": "Access-to-specific-VPCE-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-1a2b3c4d"
                }
            }
        }
    ]
}

account level public access.

enter image description here

Object Level ACL public access.

Bucket is public

While permission has given to public, i am understanding why it is giving Access Denied Error.

Upvotes: 2

Views: 1501

Answers (1)

Marcin
Marcin

Reputation: 238737

Based on the comments.

The bucket policy contains explicit deny statement, which prohibits any access to the objects from outside of a given VPC (including no access from internet):

        {
            "Sid": "Access-to-specific-VPCE-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-1a2b3c4d"
                }
            }
        }

Thus, to make the objects publicly accessible over the internet for the website, the statement should be removed.

Upvotes: 0

Related Questions