- 最新
- 投票最多
- 评论最多
Amazon has recently begun rolling out a change to how new buckets are created, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket.
You need to add the PublicAccessBlockConfiguration, as well as set ObjectOwnership to ObjectWriter - that you've got under control - and at the same time ensure that you do not have the AccessControl set initially. AccessControl can only be modified after the bucket has been created.
I tried to create the same in my environment from the management console and was able to deploy it without any problems.
The template is as follows.
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Template
Resources:
SomeS3Bucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "some-bucket-name-${AWS::AccountId}"
AccessControl: PublicRead
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerPreferred # without it it complains about ownership being set to BucketOwnerEnforced
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "AES256"
BucketKeyEnabled: false
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- "*"
AllowedMethods:
- "PUT"
- "POST"
- "DELETE"
- "GET"
AllowedOrigins:
- "*"
Block Public Access can also be set at the Organization level via an SCP - is this possible in your environment? I'd advise looking at one of your other buckets in the S3 console to see what its Block Public Access settings are and, if set, where they've come from.
Had the problem with AWS CDK using accessControl: s3.BucketAccessControl.PUBLIC_READ while creating / updating buckets.
Removing it and adding objectOwnership: s3.ObjectOwnership.OBJECT_WRITER solved the problem