1

I'm trying to figure out whether it is possible to use AWS S3 Access Point for hosting a static S3 website.

S3WebsiteBucket.WebsiteURL resource described below works great but I need to use Access Point instead.

Failure message whenever I request the index file(URL is like https://my-access-point-0000000000.s3-accesspoint.eu-north-1.amazonaws.com/index.html) is the following:

InvalidRequest The authorization mechanism you have provided is not supported. Please use Signature Version 4.

My CloudFormation template:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  S3WebsiteBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
      VersioningConfiguration:
        Status: Enabled

  S3WebsiteBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: AllowPublicRead
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3WebsiteBucket
                - /*
      Bucket: !Ref S3WebsiteBucket

  S3AccessPoint:
    Type: AWS::S3::AccessPoint
    Properties:
      Bucket: !Ref S3WebsiteBucket
      Name: my-access-point
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: false

Is it possible to use S3 Access Point for such a task at all or it's not meant for public access(static websites)? If that's possible, is there anything that I missed - perhaps S3AccessPoint needs its own IAM access policy?

My primary motivation for using S3 Access Point is to hide the original bucket name without using Route 53 and custom domains.

BinaryButterfly
  • 18,137
  • 13
  • 50
  • 91
  • `primary motivation for using S3 Access Point is to hide the original bucket name without using Route 53 and custom domains` and then how do you plan to access the content when not using a domain name? . you can use CloudFront, with its own dns or your custom domain name. R53 is not mandatory, you can control the hostname elsewhere – gusto2 Oct 27 '21 at 20:26
  • @gusto2 not sure I understood your question but the plan was to access this content via Access Point domain e.g. https://my-access-point-0000000000.s3-accesspoint.eu-north-1.amazonaws.com/ – BinaryButterfly Oct 27 '21 at 20:33
  • `The authorization mechanism you have provided is not supported.` it means the public access is not allowed through this access point. I am not sure how to allow. Still I"d use a Cloudfront for the web access – gusto2 Oct 27 '21 at 20:40
  • @gusto2 In the Permissions tab it says "Block public access to buckets and objects through any public bucket or access point policies - Off" so it looks like some kind of public access should be working. – BinaryButterfly Oct 27 '21 at 20:43
  • You have to explicitly allow public access in the policy too (for the access point). "Block public access" is just a redundant measure to block unauthenticated requests even the policy allows it – gusto2 Oct 27 '21 at 20:48
  • 1
    You can't do this. website mode for S3 is for buckets only, not access points. – Marcin Oct 28 '21 at 03:50
  • @Marcin if you would like to post your comment as an answer I'll gladly accept it. Thanks – BinaryButterfly Oct 28 '21 at 05:46

1 Answers1

1

Sadly you can't do this, as S3 website mode is for buckets only (not access points) . From docs:

Amazon S3 website endpoints do not support HTTPS or access points.

Marcin
  • 215,873
  • 14
  • 235
  • 294