I created a new S3 bucket through the web console, and I'm just trying to update the bucket policy, but i get an unhelpful error message:
"Error: Access denied"
Any ideas?
I needed to disable "Block public and cross-account access if bucket has public policies (Recommended)" in public access settings before updating the bucket policy
(For me) It works after I disabled Block new public bucket policies (Recommended) since it was a new public policy.
Related
I want to allow a specific IAM user (and no one else) to read files from a specific S3 bucket. I want to allow this IAM user to read the files from any external IP address. I have already created this IAM user, and attached a custom policy to this user allowing s3:GetObject operations on the one bucket.
I have also configured my S3 bucket to "Block all public access." My reasoning is that I don't want to allow access from any other user/stranger besides the designated IAM user.
I attempted to perform the read using the S3 SDK and the IAM user's API keys. And I'm getting the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied
I suspect that this is happening because of my "block all public access" bucket config. I don't quite understand what AWS is referring to when they say public. Are they referring to access from random/uncredentialed users? Or are they referring to access from public IP addresses? For my use case, should I enable or disable the following configs?
Block public access to buckets and objects granted through new access control lists (ACLs)
Block public access to buckets and objects granted through any access control lists (ACLs)
Block public access to buckets and objects granted through new public bucket or access point policies
Block public and cross-account access to buckets and objects through any public bucket or access point policies
Update: Turns out I made an unrelated error in my permissions policy. I had granted the IAM user permissions to access arn:aws:s3:::my-bucket instead of arn:aws:s3:::my-bucket/*.
After fixing this, I'm able to use the IAM user to read from the s3 bucket, from an external IP, with block all public access still enabled. I can now confirm that this option does not block access from external IPs.
Thank you Mark B!
I am trying to setup the S3 buckets I want my CloudFront distribution to access.
From my client I use AWS mobile SDK to upload to S3. When clients consume files from S3 I hit CloudFront and things worked until I made this change:
When I created the distribution, I had CloudFront update the bucket policy to have the OAI included in the principal:
So, then I thought I could run GET calls on CloudFront, because CloudFront has the OAI setup and S3 bucket reflects that.
However, I keep getting Access denied:
What else do I need to do to secure down the bucket and only allow CloudFront to read and allow my client app to be able to upload files to it using the SDK configured with the poolId I have setup for it?. Unless I leave the "Block all public access" unchecked, I get access denied via CloudFront.
Unfortunately according to the documentation the following is stated:
Amazon S3 Block Public Access must be disabled on the bucket.
This is because it will ignore the bucket policy due to the Block public and cross-account access to buckets and objects through any public bucket or access point policies value.
Unless your bucket policy also allows anonymous GetObject by default your objects will not be public.
I found an issue with a S3 bucket.
The bucket don't have any ACL associated, and the user that create the bucket was deleted.
How it's possible add some ACL in the bucket to get the control back?
For any command using AWS CLI, the result are the same always: An error occurred (AccessDenied) when calling the operation: Access Denied
Also in AWS console the access is denied.
First things first , AccessDenied error in AWS indicates that your AWS user does not have access to S3 service , Get S3 permission to your IAM user account , if in case you had access to AWS S3 service.
The thing is since you are using cli make sure AWS client KEY and secret are still correctly in local.
Now the interesting use case :
You have access to S3 service but cannot access the bucket since the bucket had some policies set
In this case if user who set the policies left and no user was able to access this bucket, the best way is to ask AWS root account holder to change the bucket permissions
An IAM user with the managed policy named AdministratorAccess should be able to access all S3 buckets within the same AWS account. Unless you have applied some unusual S3 bucket policy or ACL, in which case you might need to log in as the account's root user and modify that bucket policy or ACL.
See Why am I getting an "Access Denied" error from the S3 when I try to modify a bucket policy?
I just posted this on a related thread...
https://stackoverflow.com/a/73977525/999943
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-full-control-acl/
Basically when putting objects from the non-bucket owner, you need to set the acl at the same time.
--acl bucket-owner-full-control
I am logged in with the root account trying to give public access to a bucket inline with the instructions for setting up a static s3 web site.
However I get an access denied message when running the bucket policy.
There is no more detail on the message.
This could be due to recent changes in S3. To fix this issue, you need to assign Public Access to the bucket, follow the below steps:
In the Permissions tab click on the Block Public Access settings.
Click Edit to the right of these settings.
Make sure Block public access to buckets and objects granted through new public bucket or access point policies option is deselected.
Click Save.
Go back to the Bucket Policy and try again.
"Manage public bucket policies for this bucket" section need to be unchecked for to introduce "Allow" policies.
But be cautious, unchecking these might enable you to introduce a
policy but that policy is a public policy making your bucket public.
Having these checked - You won't be able to introduce "Allow" policies that for this bucket.
You can however introduce "Deny" policies, with these options checked.
The accepted answer works even if related comments suggest it's not a good idea for security reasons. In fact it is in line with AWS instructions for static website hosting here
https://docs.aws.amazon.com/AmazonS3/latest/userguide/HostingWebsiteOnS3Setup.html
which answers the OP's question.
To summarise the steps (given in the linked page) to configure a static website on Amazon S3:
Create a bucket
Enable static website hosting
Unblock all public access
Add the bucket policy that makes your content publicly available (the yaml config you have in your post)
Configure your index document (usually index.html)
Configure any error/redirect/no-auth documents (for React this is usually also index.html)
Change the permissions to below works for me:
If your bucket policy grants public access, check if S3 Block Public Access is enabled on the bucket.
I recently created an S3 bucket on AWS through the console, with the default settigns (except the name, obviously). I try editing the Bucket Policy, but getting this error: "Error Access denied", both with my admin IAM user, and the root account.
How can I get access to edit S3 Bucket policies?
Answering my own question: by default, buckets have the following option set: "Block new public bucket policies". Turning this off will enable updating the Bucket Policy.