aws-cdk s3:PutBucketPolicy Access Denied when deploying bucket with public read access

Question

I am trying to set up a static website using an S3 bucket using the cdk. However, when I deploy the stack I receive the error API: s3:PutBucketPolicy Access Denied. The CLI user I am using has administrator permissions.

I have tried to manually create a bucket with the "Static website hosting" property configured, but when I add the following bucket policy, I receive an Access denied error, even though I am the root user.

 {
  "Id": "PolicyId",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Sid",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::BUCKET_NAME",
      "Principal": "*"
    }
  ]
}

Something similar to here.

I have deselected all the public access settings like is suggested - but I still receive an access denied.

I believe the problem when deploying the cdk code may be related to the problem when creating the bucket manually, but I don't know how to debug it.

I had a very similar issue which I posted here: https://stackoverflow.com/questions/61144798/why-is-an-admin-account-getting-permission-denied-when-updating-a-bucketpolicy I was able to "resolve" it by updating to the latest version of CDK (1.32.2). It seems there have been some IAM changes that must've fixed this. — jvdub, Apr 13 '20 at 14:13

score 13 · Answer 1 · answered Apr 27 '23 at 15:37

13

In April 2023 AWS must have changed bucket defaults, a fix for AWS CDK projects would be adding blockPublicAccess together with accessControl props as follows:

import { BlockPublicAccess, BucketAccessControl } from "aws-cdk-lib/aws-s3"; ....

// Content bucket
const bucket = new s3.Bucket(this, "Bucket", {
  ...
  blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
  accessControl: BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,

answered Apr 27 '23 at 15:37

Volodymyr

176
1
6

Thank you so much. I had the problem you described and your solution fixed my problem. – Björn Kahlert May 23 '23 at 22:34
Thank you. It took me half of the morning to find out the problem. – Leo Aslan Jun 20 '23 at 02:19
No worries, glad it worked – Volodymyr Jun 21 '23 at 09:32

score 2 · Answer 2 · answered Nov 07 '22 at 12:11

For folks struggling with this error using aws-cdk and already existing bucket:

Take a look if you are not trying to modify bucket policy when you have set "blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL" in Bucket properties.

You have to turn it off or remove that property if you want to modify the policy. After deploying (modifying) policy you can set the blockPublicAccess property back again.

Frédéric D.Vincent · Answer 3 · 2019-08-06T17:02:27.450

This worked for me:

        //Create the web bucket and give it public read access
        this.webBucket = new Bucket(this, 'WebBucket', {
            websiteIndexDocument: 'index.html',
            publicReadAccess: true
        });

        //Deploy the frontend to the to the web bucket
        new BucketDeployment(this, 'DeployFrontend', {
            source: Source.asset('../ui/dist'),
            destinationBucket: this.webBucket
        });

Also, make sure the "Block public access (account settings)" is turned off in the S3 Console.

aws-cdk s3:PutBucketPolicy Access Denied when deploying bucket with public read access

3 Answers3