skip to Main Content

My goal to create an s3 bucket for static website hosting and add IAM policies for that s3 bucket.The bucket was OK, however the bucket policy is failing. I have three statement in the bucket policy and I can’t guess which one is failing and why. I also need these policies because public access will denied.

Error: putting S3 Bucket (serengatti01bhg) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 403, RequestID: 5TA4MQJ2Y0FNJ5FA, HostID: E+qj6u+HWZthQlkvOuQQRqE+pfdFOfPoceulLyDxy/70UCW7dVQU+X2GSdNs1a65LuLq9yWErOU=, api error AccessDenied: Access Denied

resource "aws_s3_bucket" "test01" {
  bucket = "serengatti01bhg"

  tags = {
    Name = "serengatti01bhg"
  }
}

resource "aws_s3_bucket_policy" "test01_policy" {
  bucket = aws_s3_bucket.test01.id

  policy = jsonencode(
    {
      Version = "2012-10-17"
      Statement = [
        {
          Sid       = "pc_access"
          Effect    = "Allow"
          Action    = "s3:*"
          Principal = "*"
          Resource = [
            aws_s3_bucket.test01.arn,
            "${aws_s3_bucket.test01.arn}/*"
          ]
          Condition = {
            "IpAddress" = {
              "aws:SourceIp" = "my public ip"
            }
          }
        },

        {
          Sid    = "admins_access"
          Effect = "Allow"
          Action = "s3:*"
          Principal = {
            AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/ak"
          }
          Resource = [
            aws_s3_bucket.test01.arn,
            "${aws_s3_bucket.test01.arn}/*"
          ]
        },

        {
          Sid       = "ssl_policy"
          Effect    = "Deny"
          Principal = "*"
          Action    = "s3:*"
          Resource = [
            aws_s3_bucket.test01.arn,
          ]
          Condition = {
            Bool = {
              "aws:SecureTransport" = "false"
            }
          }
        },

        {
          Sid       = "PublicReadGetObject"
          Effect    = "Allow"
          Principal = "*"
          Action    = "s3:GetObject"
          Resource = [
            "${aws_s3_bucket.test01.arn}/*",
          ]
        }
      ]
    }
  )
}

Two resources an s3 bucket and s3 bucket policy
Plan: 2 to add, 0 to change, 0 to destroy

2

Answers


  1. This policy is intended to block all operations on S3 resources if traffic is not sent over a secure HTTPS connection : Effect = "Deny"

    Login or Signup to reply.
  2. It sounds like your Amazon S3 bucket has S3 Block Public Access activated. This will prevent you from adding a bucket policy, even as an Administrator:

    S3 Block Public Access

    To deactivate Block Public Access, click Edit and turn off the options that mention "Bucket Policies":

    Turn off S3 Block Public Access

    You will then be able to add a Bucket Policy to the bucket.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search