28

I'm trying to make my S3 bucket public but when I add the following policy I get Error Access Denied:

{
   "Version":"2012-10-17",
   "Statement":[{
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal":"*",
      "Action":[
         "s3:GetObject"
      ],
      "Resource":[
         "arn:aws:s3:::emergencydatascience.org/*"
      ]
    }]
}
Richard Trinh
  • 379
  • 1
  • 4
  • 10
  • Potential [duplicate](https://stackoverflow.com/questions/2547046/make-a-bucket-public-in-amazon-s3) – openwonk Nov 16 '18 at 22:33
  • If you’re trying to use as a website, you should enable static site hosting and or create a CloudFront distribution with the S3 as an origin. – openwonk Nov 16 '18 at 22:35
  • I enabled static hosting the endpoint is http://emergencydatascience.org.s3-website-us-east-1.amazonaws.com but you'll get 403 Error as the bucket is not set to the public yet. I've tried different bucket policies and it always says Error Access Denied. I'm an admin on the account it should let me change the bucket policy but it says I don't have access to that. – Richard Trinh Nov 16 '18 at 22:41
  • Maybe I don't have root access? The account is owned by a colleague. I've been granted admin access that should be enough to work. – Richard Trinh Nov 16 '18 at 23:36
  • My guess, if you permission to alter bucket policy, then you have ability to make readable... Is there and “index.html” in each folder in your bucket? I would opt for adding CloudFront... – openwonk Nov 17 '18 at 00:12
  • I added CloudFront: d3s44ff9bo8gsz.cloudfront.net but it gives me the same error as when accessing through the endpoint. Bucket hasn't been set to public yet therefore I get 403 errors. I should have permission to change bucket policy but it says access denied when I try to change it to make it public. – Richard Trinh Nov 17 '18 at 00:19
  • Ya, bucket policy / folder access is the issue. CloudFront was just a suggestion – openwonk Nov 17 '18 at 00:21
  • 5
    Solved. By default, the S3 bucket seems to block new public policies. Turn that to false in public access settings and you can edit the bucket policy again. – Richard Trinh Nov 17 '18 at 00:39
  • 3
    This is a new AWS security feature called S3 Block Public Access, as of 21 hours ago: https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/ – jarmod Nov 17 '18 at 01:23
  • Wow! How timely! – openwonk Nov 17 '18 at 02:20

4 Answers4

35

Go in to your Bucket > Permissions > Public access settings > Edit > Untick Block new public ACLs and uploading public objects and Remove public access granted through public ACLs (warning)

enter image description here

Thai Ha
  • 1,331
  • 14
  • 21
11

AWS has introduced Amazon S3 Block Public Access – Another Layer of Protection for Your Accounts and Buckets | AWS News Blog.

You must now disable this feature on any buckets you wish to be publicly accessible.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
2

To enable public access to an object, Modify the public access for the account such as enter image description here

Also enable the same at the bucket level as well enter image description here

Without these changes, you cannot add new public policy.

Ramp
  • 140
  • 1
  • 1
  • 8
0

While AWS policy is quite dynamic please be aware that below answer works for the date when I provide it and it can change in time. What is required to CREATE new bucket with public access policy is to change account level "Block public access" configuration to following: enter image description here

Once this change is done, next the regular settings on the Bucket level need to be performed as well - adding policy and change bucket level "Block public access" (in the same way as it was done on account level).

Mateusz Kołodziejski
  • 1