API: s3:PutBucketPolicy Access Denied error during a Cloudformation stack creation

Question

I am a S3bubble user with an old existing setup (before DRM integration) https://s3bubble.com/

Cloudformation Template link:
https://s3bubble.com/documentation/ezdrm-cloudformation-template-setup-drm-widevine-playready-fairplay-with-s3bubble/

Tutorial Youtube Video link:
https://www.youtube.com/watch?v=e7Ny-YyUuzI&t=170s

I trying to create my Cloudformation Stack using the tutorial but during the process at the step CreateOutputBucketPolicy I always receive this error:
API: s3:PutBucketPolicy Access Denied 
The following resource(s) failed to create: [LambdaExecutionRole, S3BubbleMediaConvertRole, CreateDeliveryBucket, CreatePrivateBucket, CreateOutputBucketPolicy, ApiGatewayCloudWatchLogsRole, EzDRMServerResource]. Rollback requested by user.

![Enter image description here](/media/postImages/original/IMFSh49rimTkSSWU1aqf6h8Q)

On my Account the Block Public Access settings for this account in S3 is set to off

I am using the root access with AWS and this is the 3 permissions policies of my user:

1 - AmazonS3FullAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

2 - Awss3bubble

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "mediaconvert:*",
                "mediatailor:*",
                "cloudfront:*",
                "cloudformation:*",
                "apigateway:*",
                "lambda:*",
                "medialive:*",
                "ssm:PutParameter",
                "mediapackage:*",
                "s3:*",
                "s3:List*",
                "s3:Put*",
                "s3:Get*",
                "s3:CreateBucket",
                "s3:*MultipartUpload*",
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:GetRole",
                "iam:PassRole",
                "iam:PutRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

3 - PutBucketPolicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutBucketPolicy",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

I don't understand with those permissions I should be able to complete the cloudformation Stack import but my process always finish with a rollback due to (API: s3:PutBucketPolicy Access Denied) Error

Can anyone help me with that ? I am stuck
Thanks

Accepted Answer

This is happening because you are putting the bucket policy which is open to all, while any s3 bucket by default is blocked to public(aws default). If you really want to setup the bucket policy that way, then you would need to make your bucket public first, otherwise, this error will keep coming.

Recently AWS enabled feature, where all newly created s3 buckets would block public access by default, since in this template, those settings are not specified, hence PutBucketPolicy is failing as it's trying to make bucket public. Refer this [blog](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/)

Refer this [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html), which says that if you don't specify these configurations at the time of bucket creation, bucket policy for public would fail. Attaching snapshot for your quick reference.

See **Granting public access to S3 buckets** example from this [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket--examples).

![Enter image description here](/media/postImages/original/IM8lzlnk93QJuakQ-9QVTjLw)

Here is what you'd need to add in your "CreateDeliveryBucket" bucket creation block.

CreateDeliveryBucket:
                  Type: AWS::S3::Bucket
                  Properties:
                     BucketName:
                        Ref: DeliveryBucket
                     AccessControl: PublicRead
                     PublicAccessBlockConfiguration:
                       BlockPublicAcls: false
                       BlockPublicPolicy: false
                       IgnorePublicAcls: false
                       RestrictPublicBuckets: false

Hope you find this helpful.

Abhishek

API: s3:PutBucketPolicy Access Denied error during a Cloudformation stack creation

관련 콘텐츠