s3:PutBucketPolicy Access Denied

,

Hi,

I am following the guidelines to create S3 bucket which is served via CloudFront.
S3 bucket does not need a public access, as the content is served from CloudFront.

It seems that CloudFormation does not have the permission to generate the required S3 policy.
Due to that, I receive the following error:

CREATE_FAILED: S3AccessPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

Could it be related to the following:

serverless.yml

resources:
  Resources:
    ## Specifying the S3 Bucket
    ReactAppBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:custom.bucketName}
        WebsiteConfiguration:
          IndexDocument: index.html
          ErrorDocument: index.html
    ## Specifying the policies to make sure all files inside the Bucket are avaialble to CloudFront
    S3AccessPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket:
          Ref: ReactAppBucket
        PolicyDocument:
          Statement:
            - Sid: PublicReadGetObject
              Effect: Allow
              Principal: '*'
              Action:
                - s3:GetObject
              Resource: arn:aws:s3:::${self:custom.bucketName}/*
            - Sid: AllowPutBucketPolicy
              Effect: Allow
              Principal: '*'
              Action:
                - s3:PutBucketPolicy
              Resource: arn:aws:s3:::${self:custom.bucketName}

AWS made changes to S3 bucket access, I created a pull request updating the example:

1 Like

Do you know how I can configure this but without using CloudFront?

I’m having the same exact error but I am not using CloudFront and I know it has to do with the BlockPublicPolicy now as default for new S3 Buckets, but I don’t know how to configure that in my serverless node.js project.

Check this link:
AWS::S3::Bucket (examples)

Here are the settings I am using:

resources:
  Resources:
    ImageUploadBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:custom.imageUploadBucket}

        # Granting public access to bucket
        PublicAccessBlockConfiguration:
          BlockPublicAcls: false
          BlockPublicPolicy: false
          IgnorePublicAcls: false
          RestrictPublicBuckets: false

    ImageUploadBucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref ImageUploadBucket
        PolicyDocument:
          Version: '2008-10-17'
          Statement:
            - Sid: AllowPublicReadAccess
              Effect: Allow
              Principal: '*'
              Action: 's3:GetObject'
              Resource: arn:aws:s3:::${self:custom.imageUploadBucket}/*
              Condition:
                Bool:
                  aws:SecureTransport: 'true' # https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule
1 Like

Just to complete what you mentionned which is true, here’s a blog post i wrote regarding that issue named How to solve the “api:s3:putbucketpolicy access denied” Error.

1 Like