Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Failure to create an s3 bucket with "publicReadAccess: true" config

0

If I set "publicReadAccess: true" in the aws CDK to create an s3 bucket, I get this error after "cdk deploy": my-bucket-name/Policy (bucketmortezanam1402Policy99FD46CD) API: s3:PutBucketPolicy Access Denied

But, if I set "publicReadAccess: false" everything goes well.

What is the problem? Is it not allowed to choose some of the configurations in the CDK?

Temas
Gestión y gobiernoAWS Cloud Development Kit (CDK)
Etiquetas
AWS CloudFormationAWS Cloud Development Kit (CDK)
Idioma
English
MORTEZA NAMVAR
preguntada hace 10 meses1355 visualizaciones
1 Respuesta
2
Respuesta aceptada

This is happening because you are putting the bucket policy which is open to all, while any s3 bucket by default is blocked to public(aws default). If you really want to setup the bucket policy that way, then you would need to make your bucket public first, otherwise, this error will keep coming.

Recently AWS enabled feature, where all newly created s3 buckets would block public access by default, since in this template, those settings are not specified, hence PutBucketPolicy is failing as it's trying to make bucket public. Refer this blog

Refer this document, which says that if you don't specify these configurations at the time of bucket creation, bucket policy for public would fail. Attaching snapshot for your quick reference.

See Granting public access to S3 buckets example from this document.

Enter image description here

Here is what you'd need to add in your bucket creation block.

This is cloudformation template version:

           CreateBucket:
              Type: AWS::S3::Bucket
              Properties:
                 BucketName:
                    Ref: DeliveryBucket
                 AccessControl: PublicRead
                 PublicAccessBlockConfiguration:
                   BlockPublicAcls: false
                   BlockPublicPolicy: false
                   IgnorePublicAcls: false
                   RestrictPublicBuckets: false

Here is the CDK version:

 const mys3_bucket = new Bucket(stack, "public-read", {
 		     cdk: {
     		     bucket: {
			     publicReadAccess: true,
			     blockPublicAccess: {
				     blockPublicAcls: false,
				     blockPublicPolicy: false,
				     ignorePublicAcls: false,
				     restrictPublicBuckets: false,
			     }
		     }
	     }
     });

Hope you find this helpful.

Abhishek

profile pictureAWS
EXPERTO
secondabhi_aws
respondido hace 10 meses
profile pictureAWS
EXPERTO
Didier_Durand
revisado hace 10 meses
  • MORTEZA NAMVAR
    hace 10 meses

    I changed the code in this way: const s3bucket = new s3.Bucket(this, 'bucketmortezanam1402', { bucketName: 'my-bucketmortezanam1402', versioned: false, // publicReadAccess: false, removalPolicy: cdk.RemovalPolicy.DESTROY,
    accessControl: s3.BucketAccessControl.PUBLIC_READ, publicReadAccess: true, blockPublicAccess: { blockPublicAcls: false, blockPublicPolicy: false, ignorePublicAcls: false, restrictPublicBuckets: false, }, });

    But I get this error:

    Failed resources: InfraStack | 11:00:26 AM | CREATE_FAILED | AWS::S3::Bucket | bucketmortezanam1402 (bucketmortezanam1402EC6DFFF8) Bucket cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError; Request ID: DVYY8N1JN3D4C41E; S3 Extended Request ID: YycOC/zBll19GA39NqFK5Vxa9ylG1mkr5S9YJsmdG5MvQOZ8c9YQ0XlbuRgmFfuslsa08yFgq2E=; Proxy: null)

  • secondabhi_aws EXPERTO
    hace 10 meses

    Hi Morteza, Can you take look at this thread, I found another user achieved this, however he faced different issue but your problem can be fixed by following exactly what he did.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante