Question 88567 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

CloudFormation keeps throwing InvalidBucketAclWithBlockPublicAccessError for my S3 bucket template's deployment – Amazon web services

Goal

Create an S3 bucket that my service is going to write images to and anyone is going to be able to read the image from because I am going to show the image on my service’s web page.

Problem

So I have a pretty generic (I think) template for an S3 bucket that should allow anyone to read objects inside it:

 SomeS3Bucket:
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName: "some-bucket-name"
      AccessControl: PublicRead
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred # without it it complains about ownership being set to BucketOwnerEnforced
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: "AES256"
            BucketKeyEnabled: false
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "*"
            AllowedMethods:
              - "PUT"
              - "POST"
              - "DELETE"
              - "GET"
            AllowedOrigins:
              - "*"

An attempt to deploy this template always results in an error like this: Bucket cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError)

Tried creating a stack from the AWS Console and with aws-cli/2.6.4 Python/3.9.11 Linux/5.10.16.3-microsoft-standard-WSL2 exe/x86_64.ubuntu.20 prompt/off.

Would really appreciate any help on this.

Tried adding:

PublicAccessBlockConfiguration:
        BlockPublicAcls: false
        BlockPublicPolicy: false
        IgnorePublicAcls: false
        RestrictPublicBuckets: false

But that didn’t help either.

Also tried setting ObjectOwnership to ObjectWriter, checked the BlockPublicAccess configuration on my AWS account level. Nothing points me to the root cause of the issue.

Tags:

2

Answers


  1. 0

    Amazon has recently begun rolling out a change to how new buckets are created, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

    For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket.

    You need to add the PublicAccessBlockConfiguration, as well as set ObjectOwnership to ObjectWriter – that you’ve got under control – and at the same time ensure that you do not have the AccessControl set initially. AccessControl can only be modified after the bucket has been created.

    Login or Signup to reply.
  2. 0

    As @therightstuff explained I have fixed it by this way:

    SomeS3Bucket:
  Type: "AWS::S3::Bucket"
  Properties:
    BucketName: "some-bucket-name"
    PublicAccessBlockConfiguration:
      BlockPublicAcls: false
      BlockPublicPolicy: false
      IgnorePublicAcls: false
      RestrictPublicBuckets: false
    OwnershipControls:
      Rules:
        - ObjectOwnership: ObjectWriter
SomeS3AccessPolicy:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: SomeS3Bucket
    PolicyDocument:
      Statement:
        - Sid: PublicReadGetObject
          Effect: Allow
          Principal: '*'
          Action:
            - s3:GetObject
          Resource: arn:aws:s3:::some-bucket-name/*
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search