By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Failure to create an s3 bucket with "publicReadAccess: true" config

0

If I set "publicReadAccess: true" in the aws CDK to create an s3 bucket, I get this error after "cdk deploy": my-bucket-name/Policy (bucketmortezanam1402Policy99FD46CD) API: s3:PutBucketPolicy Access Denied

But, if I set "publicReadAccess: false" everything goes well.

What is the problem? Is it not allowed to choose some of the configurations in the CDK?

Topics
Management & GovernanceAWS Cloud Development Kit (CDK)
Tags
AWS CloudFormationAWS Cloud Development Kit (CDK)
Language
English
MORTEZA NAMVAR
asked 9 months ago1285 views
1 Answer
2
Accepted Answer

This is happening because you are putting the bucket policy which is open to all, while any s3 bucket by default is blocked to public(aws default). If you really want to setup the bucket policy that way, then you would need to make your bucket public first, otherwise, this error will keep coming.

Recently AWS enabled feature, where all newly created s3 buckets would block public access by default, since in this template, those settings are not specified, hence PutBucketPolicy is failing as it's trying to make bucket public. Refer this blog

Refer this document, which says that if you don't specify these configurations at the time of bucket creation, bucket policy for public would fail. Attaching snapshot for your quick reference.

See Granting public access to S3 buckets example from this document.

Enter image description here

Here is what you'd need to add in your bucket creation block.

This is cloudformation template version:

           CreateBucket:
              Type: AWS::S3::Bucket
              Properties:
                 BucketName:
                    Ref: DeliveryBucket
                 AccessControl: PublicRead
                 PublicAccessBlockConfiguration:
                   BlockPublicAcls: false
                   BlockPublicPolicy: false
                   IgnorePublicAcls: false
                   RestrictPublicBuckets: false

Here is the CDK version:

 const mys3_bucket = new Bucket(stack, "public-read", {
 		     cdk: {
     		     bucket: {
			     publicReadAccess: true,
			     blockPublicAccess: {
				     blockPublicAcls: false,
				     blockPublicPolicy: false,
				     ignorePublicAcls: false,
				     restrictPublicBuckets: false,
			     }
		     }
	     }
     });

Hope you find this helpful.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 9 months ago
  • MORTEZA NAMVAR
    9 months ago

    I changed the code in this way: const s3bucket = new s3.Bucket(this, 'bucketmortezanam1402', { bucketName: 'my-bucketmortezanam1402', versioned: false, // publicReadAccess: false, removalPolicy: cdk.RemovalPolicy.DESTROY,
    accessControl: s3.BucketAccessControl.PUBLIC_READ, publicReadAccess: true, blockPublicAccess: { blockPublicAcls: false, blockPublicPolicy: false, ignorePublicAcls: false, restrictPublicBuckets: false, }, });

    But I get this error:

    Failed resources: InfraStack | 11:00:26 AM | CREATE_FAILED | AWS::S3::Bucket | bucketmortezanam1402 (bucketmortezanam1402EC6DFFF8) Bucket cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError; Request ID: DVYY8N1JN3D4C41E; S3 Extended Request ID: YycOC/zBll19GA39NqFK5Vxa9ylG1mkr5S9YJsmdG5MvQOZ8c9YQ0XlbuRgmFfuslsa08yFgq2E=; Proxy: null)

  • secondabhi_aws EXPERT
    9 months ago

    Hi Morteza, Can you take look at this thread, I found another user achieved this, however he faced different issue but your problem can be fixed by following exactly what he did.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content