By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Bucket Policy Issue[API: s3:PutBucketPolicy Access Denied]

0

I tried Implementing Bucket Policy Form S3website but this what i get from my Cloud Formmation

Failed to check if S3 Bucket Policy already exists due to lack of describe permission, you might be overriding or adopting an existing policy on this Bucket. API: s3:PutBucketPolicy Access Denied

Topics
Management & GovernanceDevOpsSecurity, Identity, & Compliance
Tags
AWS CloudFormationDevOpsIAM Policies
Language
English
Nafiu
asked 9 months ago357 views
2 Answers
2
Accepted Answer

The error message you've provided suggests that the IAM entity (user/role) attempting to set the bucket policy does not have the necessary permissions. Specifically, the entity does not have the s3:PutBucketPolicy permission for the given S3 bucket.

Here's how you can resolve this:

  • Check the IAM Policy attached to the entity: If it's an IAM User, Role or Group, go to the AWS IAM console and review the permissions attached. Ensure that the entity has the required permission for the S3 bucket in question.

  • Example policy to allow s3:PutBucketPolicy on a specific bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:PutBucketPolicy",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
        }
    ]
}

If you need to allow the entity to put a bucket policy on all buckets, you can replace the Resource value with "arn:aws:s3:::*".

  • S3 Block Public Access: Ensure that you have not enabled S3 Block Public Access at the account level or for the specific bucket. Sometimes, S3 Block Public Access settings can prevent the application of bucket policies that grant public access.

  • Assuming Roles: If you're assuming a role (using STS) to execute these actions, make sure that the assumed role has the necessary permissions.

  • Service Control Policies (for AWS Organizations): If you're using AWS Organizations and Service Control Policies (SCPs), ensure that the SCPs aren't denying the s3:PutBucketPolicy action.

  • Review Bucket Ownership: Make sure that the bucket is owned by your AWS account. If the bucket was transferred to you or created in another account, there might be cross-account permission issues.

  • Audit with AWS CloudTrail: If you have CloudTrail set up, you can look into the event logs to get more detailed information about which entity tried accessing and what was the exact reason for denial.

  • Explicit Denies: Ensure that there are no explicit Deny statements in any IAM policies attached to the entity that's causing the conflict with the permission.

Once you've determined the cause and adjusted the necessary permissions, try to apply the bucket policy again. If you're still facing issues, consider creating a minimal policy to test the permissions, and then build it up incrementally to achieve your desired configuration.

profile picture
Ercan -flightlesstux-
answered 9 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 4 months ago
2

If this bucket is public then this is expected and you need to set ACL first then this PutBucketPolicy would be allowed.

I'd suggest you to check following two answers, where I described about same issue:

re:Post Answer-1

re:Post Answer-2

Also, look at the documentation in these two answers, which explains why you might be getting this error.

Hope you find this helpful.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content