I cannot access domain whose bluehacking.com is set Amazon routes&S3.
I bought bluehacking.com in Amazon routes.Now I want to access bluehacking.com.So,I went to Amazon S3,made bucket whose name is bluehacking.com and set Permission of Bucket Policy like
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bluehacking.com/*"
}
]
}
I upload index.html in Static website hosting.
However when I access bluehacking.com,"You cannot access this site" is shown.index.html is not shown. What is wrong in my setting?How should I fix this?
You need to set public read access to your bucket:
{
"Version":"2012-10-17",
"Statement":[{
"Sid":"PublicReadGetObject",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::bluehacking.com/*"
]
}
]
}
Related
I have a bucket that contains some images. The bucket is publicly accessible using the following policy.
{
"Version": "2008-10-17",
"Id": "s3BucketPolicy",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::Bucketname/*"
}
]
}
Also I have a cloudfront distribution that points to the same bucket. My problem now is that my file is accessible from both cloudfront link and bucket link.
CloudfrontLink: www.xxxxxx.xxxx/xxxx
BucketLink: www.bucketname/xxx
My question how can i make my bucket publicly accessible using cloudfront only. I don't want signed urls or cookies. I want any my anyone with cloudfrontlink to be able to access the image and prevent anyone with bucketlink from accessing the image.
Change the S3 bucket policy principal to the OAI of the CloudFront Distribution. For example:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ABCDABCDABCDAB"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
This will prevent access to the bucket contents outside of CloudFront. You don't need signed URLS here. See the documentation for more details.
The bucket is configured to have public access disabled, but with the following bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1571348371588",
"Statement": [
{
"Sid": "Stmt1571348370292",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::932534461852:user/test-user"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test.test.com",
"arn:aws:s3:::test.test.com/*"
]
}
]
}
The IAM is also attached with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test.test.com"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutAccountPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
The bucket's public access setting is:
Block all public access
On
Block public access to buckets and objects granted through new access control lists (ACLs)
On
Block public access to buckets and objects granted through any access control lists (ACLs)
On
Block public access to buckets and objects granted through new public bucket policies
On
Block public and cross-account access to buckets and objects through any public bucket policies
On
I have verified that the cli and the sdk are using the same access key and secret key, and I can use console and cli to upload files without problem, but when I try with node.js's aws-sdk: 2.551.0, I got access denied error.
Where can go wrong?
The problem is likely to be that your Node.js client is using the wrong credentials, is targeting the wrong bucket, or is invoking an action not allowed in the IAM policy. You haven't provided any code so we can't validate the latter.
Also, you don't need to allow the IAM user in an S3 bucket policy if the IAM user's policy allows the necessary S3 actions/resources, so you can remove the bucket policy.
I've a private bucket with OAI and CloudFront. When I upload an item to the bucket I can visit it using the CloudFront URL but not via the S3 url:
My policy looks like this
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCloudFrontRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xxx"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::xxx/*"
}
]
}
My IAM user has the permission to upload and get from the bucket.
Now I want that my user (or my account) can visit the S3 URL (not the CloudFront URL) to access the object in the bucket without the need to make the bucket public.
How can I do this?
I tried to update the bucket policy like this but it didn't work.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCloudFrontRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xxx"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::xxx/*"
},
{
"Sid": "AllowPolicyRead",
"Effect": "Allow",
"Principal": {
"AWS": "xxxxx"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::xxx/*"
}
]
}
From the CLI my user can get and upload objects.
IAM or bucket policies give you API level access to S3. It is not possible to download S3 files without making buckets public.
I will appreciate if anyone can point me out where I'm doing wrong. see below steps
I have a domain name in route53.
Based on the domain name, I have created a bucket name ( for sake of my question lets stick to bucket and domain name as abc.nl)
Created the bucket, without changing any default provided check-list.
Clicked the bucket(abc.nl) and added below "bucket policy"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567:user/usrname"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::abc.nl/*"
}
]
}
I have provided my username policy of AmazonS3FullAccess in IAM.
My Block public access (account settings) also unchanged.
Now I uploaded my all static files to the bucket(abc.nl).
In properties tab, I have added index.html under static website hosting block.
Now, as per the manual, I should able to click the link and access the page.
But for some reason, it's throwing me 403 access forbidden error.
In my understanding, by simply adding bucket policy you turn on public access. But for me, I don't see "public" tag. So, don't know what's going on. (My understanding could be wrong, hence this post.)
In case you are wondering which manual, I'm following, https://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.htmlhow to host static web site.
Anyway, anyone points me out, where I'm doing wrong and which options should I choose from the permissions for the bucket? I could be missing out some lines.
PS: I have created and deleted the same bucket multiple times, just to start fresh every time.
The Principal value of your bucket policy is wrong. Copied from the Example: Setting up a Static Website Using a Custom Domain that you have linked to:
To grant public read access, attach the following bucket policy to the example.com bucket, substituting the name of your bucket for example.com.
{
"Version":"2012-10-17",
"Statement":[{
"Sid":"PublicReadGetObject",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::example.com/*"]
}]
}
To make the bucket public (= everyone), you need to set * as principal in your bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::abc.nl/*"
}
]
}
Please also check that you don't have Block public access settings on the bucket because it will prevent you from making the bucket public.
Follow the below Steps 100% working.
Under Buckets, choose the name of your bucket.
Choose Permissions.
Under Bucket Policy, choose Edit.
To grant public read access to your website, copy the following bucket policy, and paste it into the Bucket policy editor.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::**YOUR-BUCKET-NAME**/*"
]
}
]
}
NOTE: AWS documentation Link
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::pasteyourbucketname(copy&pasteARNName)/*"
}
]
}
I've configured my bucket policy (for a static website hosted on an S3 bucket) so that another account can perform actions on this bucket. The policy looks something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket.com/*"
},
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000000:user/username"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket.com"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:user/username"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket.com/*"
}
]
}
The first object in "Statement" specifies that this bucket should be readable by the public, so that anyone can access the site (I am using Route 53 as well).
The second account is able to upload files to the bucket, however once he uploads a file, then access is restricted to that file, i.e. if he uploads index.html to the top-level directory of the bucket, then navigating to the website will produce a 403 access denied error.
I have looked into IAM roles, which I think may be related but would appreciate any help with this.