My goal to create an s3 bucket for static website hosting and add IAM policies for that s3 bucket.The bucket was OK, however the bucket policy is failing. I have three statement in the bucket policy and I can’t guess which one is failing and why. I also need these policies because public access will denied.
Error: putting S3 Bucket (serengatti01bhg) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 403, RequestID: 5TA4MQJ2Y0FNJ5FA, HostID: E+qj6u+HWZthQlkvOuQQRqE+pfdFOfPoceulLyDxy/70UCW7dVQU+X2GSdNs1a65LuLq9yWErOU=, api error AccessDenied: Access Denied
resource "aws_s3_bucket" "test01" {
bucket = "serengatti01bhg"
tags = {
Name = "serengatti01bhg"
}
}
resource "aws_s3_bucket_policy" "test01_policy" {
bucket = aws_s3_bucket.test01.id
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
{
Sid = "pc_access"
Effect = "Allow"
Action = "s3:*"
Principal = "*"
Resource = [
aws_s3_bucket.test01.arn,
"${aws_s3_bucket.test01.arn}/*"
]
Condition = {
"IpAddress" = {
"aws:SourceIp" = "my public ip"
}
}
},
{
Sid = "admins_access"
Effect = "Allow"
Action = "s3:*"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/ak"
}
Resource = [
aws_s3_bucket.test01.arn,
"${aws_s3_bucket.test01.arn}/*"
]
},
{
Sid = "ssl_policy"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.test01.arn,
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
},
{
Sid = "PublicReadGetObject"
Effect = "Allow"
Principal = "*"
Action = "s3:GetObject"
Resource = [
"${aws_s3_bucket.test01.arn}/*",
]
}
]
}
)
}
Two resources an s3 bucket and s3 bucket policy
Plan: 2 to add, 0 to change, 0 to destroy
2
Answers
This policy is intended to block all operations on S3 resources if traffic is not sent over a secure HTTPS connection : Effect = "Deny"
It sounds like your Amazon S3 bucket has S3 Block Public Access activated. This will prevent you from adding a bucket policy, even as an Administrator:
To deactivate Block Public Access, click Edit and turn off the options that mention "Bucket Policies":
You will then be able to add a Bucket Policy to the bucket.