Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)

Question

I have an AWS root user which I used to create a S3 bucket on Amazon.
Now I want to make this bucket public by adding following policy:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<my bucket name>/*"
   }]
}

Where <my bucket name> is the name of the bucket. When I try to save this policy I get a 403 access denied.

I tried explicitly setting the s3:PutBucketPolicy permission but it still gives a 403. Anybody knows why?

This is the image error:

image of the aws error message

Could you please verify that the "root" user you have, actually has correct permissions to modify S3? — AlexK, Nov 19 '18 at 12:05
Doesn't the root user always have full access to the bucket if he created it? I also cretaed an IAM user with permissions for the bucket and that user also can't adjust bucket policy — Tijl .Reynhout, Nov 19 '18 at 12:37
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:PutBucketPolicy", "Resource": "arn:aws:s3:::bucketname" } ] } — Tijl .Reynhout, Nov 19 '18 at 12:38
that is the policy for the IAM user but het still can't change the bucket policy. Even tried through the aws cli — Tijl .Reynhout, Nov 19 '18 at 12:39
The issue is that I can't update the bucket policy because I get a 403 forbidden. I've tried to set the policy through the aws console and aws cli.I've also confirmed that i'm the owner of the bucket and i'm logged in with the correct account.. — Tijl .Reynhout, Nov 19 '18 at 12:51
Can you please update your post with the access your account has? Picture if possible — AlexK, Nov 19 '18 at 12:52

score 34 · Accepted Answer · answered Nov 20 '18 at 06:43

34

Uncheck 2 rows for fixing the access denied. But please remember reading it clearly and consider it before you create a new bucket. Permission is really important.

answered Nov 20 '18 at 06:43

Phong

1,457
14
16

2

This is incorrect. Tijl is setting a bucket policy, not an ACL. The 'block new public policies' checkmark is the one that needs to be unchecked – Ken Krueger May 01 '23 at 14:44
3

@KenKrueger This anwser from 2018 and I haven't used AWS for 4 years. Feel free to share your solution below. Thank you. – Phong May 08 '23 at 15:22

score 19 · Answer 2 · answered May 09 '23 at 07:04

If deploying via CloudFormation or AWS SAM, you need to explicitly allow the bucket to be public like so:

  MyExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicPolicy: false
        RestrictPublicBuckets: false

Then you can specify an AWS::S3::BucketPolicy that allows public access.

score 6 · Answer 3 · edited Jun 24 '22 at 19:17

6

I've tried creating a new bucket and by setting the following permission parameters unchecked (false) the bucket policy can now be adjusted to make the bucket objects public. Afterwards I ticked off the four previous checkboxes and now it works.

permissions

edited Jun 24 '22 at 19:17

Garry Polley

4,253
1
22
29

answered Nov 19 '18 at 12:45

Tijl .Reynhout

901
2
9
24

score 4 · Answer 4 · answered Nov 07 '22 at 12:16

For folks struggling with this error using aws-cdk and already existing bucket:

Take a look if you are not trying to modify bucket policy when you have set "blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL" or any other blocking s3.BlockPublicAccess in Bucket properties.

You have to turn it off or remove that property if you want to modify the policy. After deploying (modifying) policy you can set the blockPublicAccess property back again.

score 0 · Answer 5 · answered May 01 '23 at 15:06

The original blog post on block public access (https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) explains the observed behavior.

It appears you have created the bucket via the console, which means 'block public access' rules are on by default. This includes 'block public access to buckets and objects granted through new public bucket policies'. This option "disallows ... public bucket policies, and ... future PUT requests that include them will fail." This is the exact error described.

Since you are attempting to use a bucket policy, not an ACL, you would need to disable 'block public access to buckets and objects granted through new public bucket policies'. Uncheck that block option and your put will be successful.
This presumes that you have the ability to unblock public access at the account level.

Note that since April 2023, the means by which you create the bucket no longer influences this behavior, see https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/. The block behavior is the same whether a bucket is created via console, CLI, SDK, CloudFormation, CDK, etc.

score 0 · Answer 6 · answered Aug 29 '23 at 16:36

2023 Update: cdk created bucket

In case someone comes here trying to deploy a bucket: I needed to add blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,

  const siteBucket = new Bucket(stack, BUCKET_ID, {
    bucketName: `${BUCKET_NAME}-${buildConfig.Environment}`,
    publicReadAccess: true,
    blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
    removalPolicy: RemovalPolicy.DESTROY,
    websiteIndexDocument: 'index.html',
  })

Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)

6 Answers6

2023 Update: cdk created bucket

Linked