By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS CDK Deployment Fails with "Access Denied" Error for S3 Bucket

0

Hello,

I am encountering an issue while deploying an AWS CDK stack that includes an S3 bucket. The deployment fails with an "Access Denied" error when trying to create the S3 bucket. The exact error message is:

Deployment failed: Error: The stack named DevelopmentMinnaKaraokeFrontendStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: , Extended Request ID: )" (RequestToken: , HandlerErrorCode: AccessDenied)

I am using the same AWS account and IAM user as before, and I've only moved the S3 bucket code from one stack to another in the same CDK app. The IAM user has the necessary permissions to create and modify S3 buckets.

Here are the things I've checked and confirmed:

The S3 bucket name is unique. There's no bucket deletion delay issue as the bucket name has not been recently used. I am not hitting the bucket creation rate limit as I am not creating and deleting buckets rapidly. I am not sure why I am still encountering this issue. Could you please help me identify the cause of this issue and suggest how to resolve it?

Thank you for your assistance!

Topics
StorageSecurity, Identity, & ComplianceAWS Cloud Development Kit (CDK)
Tags
Amazon Simple Storage ServiceIAM PoliciesAWS Cloud Development Kit (CDK)
Language
English
Charu
asked 2 years ago1.9K views
1 Answer
1

Hello. Although you mentioned you're creating a new bucket, it's possible there are service-linked roles or organization-wide policies that automatically apply certain bucket policies. Solution: Check if there's an organizational policy or SCP (Service Control Policy) that might be preventing the creation or modification of S3 buckets.

Also double check do you enable:

Object Ownership Bucket owner preferred

Regards, Andrii

profile picture
EXPERT
Andrii S
answered 2 years ago
profile picture
EXPERT
Oleksii Bebych
reviewed a year ago
  • Charu
    2 years ago

    Thank you for your reply, but I don't have permission to view my organization-wide policies.

    The thing is that I have an existing CDK stack in the same AWS account and using the same IAM user, which includes similar S3 bucket code, and it deploys without any issues. The issue only occurs with the new stack.

    In the new stack, I've only moved the S3 bucket code from the existing stack to the new stack. The IAM user has the necessary permissions to create and modify S3 buckets. I've also ensured that the S3 bucket name is unique and not recently used. Could you please help me identify the cause of this issue and suggest how to resolve it?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content