Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cloud Formation always returns: cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError

0

I have a YAML file for cloudformation. The idea is to create an empty bucket, with everything set up to create a simple S3 hosted website.

Everytime I run it I get the cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError

Tried already connected my S3bucket with an access policy that looks like this, and I still get the same error.

Resources:
  WebsiteBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Delete
    Properties:
      BucketName: 'a-test-uniquebucket'
      AccessControl: PublicRead
      PublicAccessBlockConfiguration:
           BlockPublicAcls: false
           BlockPublicPolicy: false
           IgnorePublicAcls: false
           RestrictPublicBuckets: false
      OwnershipControls:
           Rules:
                - ObjectOwnership: ObjectWriter
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
  
  S3AccessPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    Properties:
      Bucket: !Ref WebsiteBucket
      PolicyDocument:
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal: '*'
            Action:
              - s3:GetObject
            Resource: arn:aws:s3:::a-test-uniquebucket/*

Additionally, I'm trying to reference the Bucket's name dynamically in "resource" under S3 Access Policy. That way, I only have to change the name in one place, but I'm not sure if ${!Ref: WebsiteBucket} would work here.

Themen
Management & Unternehmensführung
Tags
AWS CloudFormation
Sprache
English
blackGlitterGuy
gefragt vor einem Jahr1555 Aufrufe
2 Antworten
0

Hi, look at https://stackoverflow.com/questions/76026251/cloudformation-keeps-throwing-invalidbucketaclwithblockpublicaccesserror-for-my

Read second answer first and then come back answer #1: it should allow you to fix your CFN template.

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor einem Jahr
0

The following template can be used to host a website.
Also, the part of the access policy that specifies the S3 ARN is "!Sub ${WebsiteBucket.Arn}".
By doing this, you only need to change the S3 bucket name part.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Template

Resources:
  WebsiteBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Delete
    Properties:
      BucketName: !Sub 'a-test-uniquebucket-${AWS::AccountId}'
      PublicAccessBlockConfiguration:
           BlockPublicAcls: false
           BlockPublicPolicy: false
           IgnorePublicAcls: false
           RestrictPublicBuckets: false
      OwnershipControls:
           Rules:
                - ObjectOwnership: ObjectWriter
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
  
  S3AccessPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    Properties:
      Bucket: !Ref WebsiteBucket
      PolicyDocument:
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal: '*'
            Action:
              - s3:GetObject
            Resource: !Sub ${WebsiteBucket.Arn}/*
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt