By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cloud Formation always returns: cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError

0

I have a YAML file for cloudformation. The idea is to create an empty bucket, with everything set up to create a simple S3 hosted website.

Everytime I run it I get the cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError

Tried already connected my S3bucket with an access policy that looks like this, and I still get the same error.

Resources:
  WebsiteBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Delete
    Properties:
      BucketName: 'a-test-uniquebucket'
      AccessControl: PublicRead
      PublicAccessBlockConfiguration:
           BlockPublicAcls: false
           BlockPublicPolicy: false
           IgnorePublicAcls: false
           RestrictPublicBuckets: false
      OwnershipControls:
           Rules:
                - ObjectOwnership: ObjectWriter
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
  
  S3AccessPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    Properties:
      Bucket: !Ref WebsiteBucket
      PolicyDocument:
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal: '*'
            Action:
              - s3:GetObject
            Resource: arn:aws:s3:::a-test-uniquebucket/*

Additionally, I'm trying to reference the Bucket's name dynamically in "resource" under S3 Access Policy. That way, I only have to change the name in one place, but I'm not sure if ${!Ref: WebsiteBucket} would work here.

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
blackGlitterGuy
asked a year ago1506 views
2 Answers
0

Hi, look at https://stackoverflow.com/questions/76026251/cloudformation-keeps-throwing-invalidbucketaclwithblockpublicaccesserror-for-my

Read second answer first and then come back answer #1: it should allow you to fix your CFN template.

profile pictureAWS
EXPERT
Didier_Durand
answered a year ago
0

The following template can be used to host a website.
Also, the part of the access policy that specifies the S3 ARN is "!Sub ${WebsiteBucket.Arn}".
By doing this, you only need to change the S3 bucket name part.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Template

Resources:
  WebsiteBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Delete
    Properties:
      BucketName: !Sub 'a-test-uniquebucket-${AWS::AccountId}'
      PublicAccessBlockConfiguration:
           BlockPublicAcls: false
           BlockPublicPolicy: false
           IgnorePublicAcls: false
           RestrictPublicBuckets: false
      OwnershipControls:
           Rules:
                - ObjectOwnership: ObjectWriter
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
  
  S3AccessPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    Properties:
      Bucket: !Ref WebsiteBucket
      PolicyDocument:
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal: '*'
            Action:
              - s3:GetObject
            Resource: !Sub ${WebsiteBucket.Arn}/*
profile picture
EXPERT
Riku_Kobayashi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content