Cloud Formation always returns: cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError

Question

I have a YAML file for cloudformation. The idea is to create an empty bucket, with everything set up to create a simple S3 hosted website.

Everytime I run it I get the 
`cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError`

Tried already connected my S3bucket with an access policy that looks like this, and I still get the same error.

```
Resources:
  WebsiteBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Delete
    Properties:
      BucketName: 'a-test-uniquebucket'
      AccessControl: PublicRead
      PublicAccessBlockConfiguration:
           BlockPublicAcls: false
           BlockPublicPolicy: false
           IgnorePublicAcls: false
           RestrictPublicBuckets: false
      OwnershipControls:
           Rules:
                - ObjectOwnership: ObjectWriter
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
  
  S3AccessPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    Properties:
      Bucket: !Ref WebsiteBucket
      PolicyDocument:
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal: '*'
            Action:
              - s3:GetObject
            Resource: arn:aws:s3:::a-test-uniquebucket/*
```
Additionally, I'm trying to reference the Bucket's name dynamically in "resource" under S3 Access Policy. That way, I only have to change the name in one place, but I'm not sure if ${!Ref: WebsiteBucket} would work here.

Answer

Hi, look at https://stackoverflow.com/questions/76026251/cloudformation-keeps-throwing-invalidbucketaclwithblockpublicaccesserror-for-my

Read second answer first and then come back answer #1: it should allow you to fix your CFN template.

Answer

The following template can be used to host a website.  
Also, the part of the access policy that specifies the S3 ARN is "!Sub ${WebsiteBucket.Arn}".  
By doing this, you only need to change the S3 bucket name part.  
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html

```
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Template

Resources:
  WebsiteBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Delete
    Properties:
      BucketName: !Sub 'a-test-uniquebucket-${AWS::AccountId}'
      PublicAccessBlockConfiguration:
           BlockPublicAcls: false
           BlockPublicPolicy: false
           IgnorePublicAcls: false
           RestrictPublicBuckets: false
      OwnershipControls:
           Rules:
                - ObjectOwnership: ObjectWriter
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
  
  S3AccessPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    Properties:
      Bucket: !Ref WebsiteBucket
      PolicyDocument:
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal: '*'
            Action:
              - s3:GetObject
            Resource: !Sub ${WebsiteBucket.Arn}/*
```

Cloud Formation always returns: cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError

相關內容