AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Failure to create an s3 bucket with "publicReadAccess: true" config

0

If I set "publicReadAccess: true" in the aws CDK to create an s3 bucket, I get this error after "cdk deploy": my-bucket-name/Policy (bucketmortezanam1402Policy99FD46CD) API: s3:PutBucketPolicy Access Denied

But, if I set "publicReadAccess: false" everything goes well.

What is the problem? Is it not allowed to choose some of the configurations in the CDK?

주제
관리 및 거버넌스AWS Cloud 개발 키트(CDK)
태그
AWS CloudFormationAWS Cloud 개발 키트(CDK)
언어
English
MORTEZA NAMVAR
질문됨 10달 전1396회 조회
1개 답변
2
수락된 답변

This is happening because you are putting the bucket policy which is open to all, while any s3 bucket by default is blocked to public(aws default). If you really want to setup the bucket policy that way, then you would need to make your bucket public first, otherwise, this error will keep coming.

Recently AWS enabled feature, where all newly created s3 buckets would block public access by default, since in this template, those settings are not specified, hence PutBucketPolicy is failing as it's trying to make bucket public. Refer this blog

Refer this document, which says that if you don't specify these configurations at the time of bucket creation, bucket policy for public would fail. Attaching snapshot for your quick reference.

See Granting public access to S3 buckets example from this document.

Enter image description here

Here is what you'd need to add in your bucket creation block.

This is cloudformation template version:

           CreateBucket:
              Type: AWS::S3::Bucket
              Properties:
                 BucketName:
                    Ref: DeliveryBucket
                 AccessControl: PublicRead
                 PublicAccessBlockConfiguration:
                   BlockPublicAcls: false
                   BlockPublicPolicy: false
                   IgnorePublicAcls: false
                   RestrictPublicBuckets: false

Here is the CDK version:

 const mys3_bucket = new Bucket(stack, "public-read", {
 		     cdk: {
     		     bucket: {
			     publicReadAccess: true,
			     blockPublicAccess: {
				     blockPublicAcls: false,
				     blockPublicPolicy: false,
				     ignorePublicAcls: false,
				     restrictPublicBuckets: false,
			     }
		     }
	     }
     });

Hope you find this helpful.

Abhishek

profile pictureAWS
전문가
secondabhi_aws
답변함 10달 전
profile pictureAWS
전문가
Didier_Durand
검토됨 10달 전
  • MORTEZA NAMVAR
    10달 전

    I changed the code in this way: const s3bucket = new s3.Bucket(this, 'bucketmortezanam1402', { bucketName: 'my-bucketmortezanam1402', versioned: false, // publicReadAccess: false, removalPolicy: cdk.RemovalPolicy.DESTROY,
    accessControl: s3.BucketAccessControl.PUBLIC_READ, publicReadAccess: true, blockPublicAccess: { blockPublicAcls: false, blockPublicPolicy: false, ignorePublicAcls: false, restrictPublicBuckets: false, }, });

    But I get this error:

    Failed resources: InfraStack | 11:00:26 AM | CREATE_FAILED | AWS::S3::Bucket | bucketmortezanam1402 (bucketmortezanam1402EC6DFFF8) Bucket cannot have public ACLs set with BlockPublicAccess enabled (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithBlockPublicAccessError; Request ID: DVYY8N1JN3D4C41E; S3 Extended Request ID: YycOC/zBll19GA39NqFK5Vxa9ylG1mkr5S9YJsmdG5MvQOZ8c9YQ0XlbuRgmFfuslsa08yFgq2E=; Proxy: null)

  • secondabhi_aws 전문가
    10달 전

    Hi Morteza, Can you take look at this thread, I found another user achieved this, however he faced different issue but your problem can be fixed by following exactly what he did.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠