CloudFormation keeps throwing InvalidBucketAclWithBlockPublicAccessError for my S3 bucket template's deployment

1

Goal

Create an S3 bucket that my service is going to write images to and anyone is going to be able to read the image from because I am going to show the image on my service's web page.

Problem

So I have a pretty generic (I think) template for an S3 bucket that should allow anyone to read objects inside it:

 SomeS3Bucket:
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName: "some-bucket-name"
      AccessControl: PublicRead
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred # without it it complains about ownership being set to BucketOwnerEnforced
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: "AES256"
            BucketKeyEnabled: false
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "*"
            AllowedMethods:
              - "PUT"
              - "POST"
              - "DELETE"
              - "GET"
            AllowedOrigins:
              - "*"

An attempt to deploy this template always results in an error like this: Bucket cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError)

Tried adding:

PublicAccessBlockConfiguration:
        BlockPublicAcls: false
        BlockPublicPolicy: false
        IgnorePublicAcls: false
        RestrictPublicBuckets: false

But that didn't help either.

Also tried setting ObjectOwnership to ObjectWriter, checked the BlockPublicAccess configuration on my AWS account level. Nothing points me to the root cause of the issue.

Would really appreciate any help on this.

Tried creating a stack from the AWS Console and with aws-cli/2.6.4 Python/3.9.11 Linux/5.10.16.3-microsoft-standard-WSL2 exe/x86_64.ubuntu.20 prompt/off.

3 Answers
1

Amazon has recently begun rolling out a change to how new buckets are created, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket.

You need to add the PublicAccessBlockConfiguration, as well as set ObjectOwnership to ObjectWriter - that you've got under control - and at the same time ensure that you do not have the AccessControl set initially. AccessControl can only be modified after the bucket has been created.

profile picture
answered a year ago
  • Had the problem with AWS CDK using accessControl: s3.BucketAccessControl.PUBLIC_READ while creating / updating buckets.

    Removing it and adding objectOwnership: s3.ObjectOwnership.OBJECT_WRITER solved the problem

1

I tried to create the same in my environment from the management console and was able to deploy it without any problems.
The template is as follows.

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Template

Resources:
  SomeS3Bucket:
      Type: "AWS::S3::Bucket"
      Properties:
        BucketName: !Sub "some-bucket-name-${AWS::AccountId}"
        AccessControl: PublicRead
        OwnershipControls:
          Rules:
            - ObjectOwnership: BucketOwnerPreferred # without it it complains about ownership being set to BucketOwnerEnforced
        BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: "AES256"
              BucketKeyEnabled: false
        CorsConfiguration:
          CorsRules:
            - AllowedHeaders:
                - "*"
              AllowedMethods:
                - "PUT"
                - "POST"
                - "DELETE"
                - "GET"
              AllowedOrigins:
                - "*"
profile picture
EXPERT
answered a year ago
0

Block Public Access can also be set at the Organization level via an SCP - is this possible in your environment? I'd advise looking at one of your other buckets in the S3 console to see what its Block Public Access settings are and, if set, where they've come from.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions