18

I am new to AWS. I am setting up an S3 bucket that I want to use to store media files for a Django App I am developing.

I am logged in as the person who created the AWS account, but when I click on the permissions tab and then try to edit the bucket policy I am getting a message that states "You don't have permissions to edit bucket policy".

I am following a guide which describes the configuration for Django setup, but my understanding is that the purpose of doing this is to allow public read access to the files. I was able to set the CORS policy without any problems.

I created an IAM user logged in as them and it still gives errors. That IAM user has permissions to all S3 Buckets. The error states "After you or your AWS administrator have updated your permissions to allow the s3:PutBucketPolicy action, choose Save changes."

I went to the policy applied to the bucket and it has this permission. Here is the JSON.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "mybucketARN"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "mybucketARN"
        }
    ]
}
RLBChrisBriant
  • 595
  • 1
  • 7
  • 22
  • 1
    S3 permissions can be tricky. Try logging in as the AWS root user. – Tim Jan 17 '21 at 17:20
  • You can also create an admin policy/roles for yourself. AWS has a managed administrator policy. Root user is the fastest way though. – jdopenvpn Jan 17 '21 at 17:23
  • 1
    I am logged on as the root user when trying to do this. – RLBChrisBriant Jan 18 '21 at 06:35
  • You cannot edit some policy when when you have "Block Public Access" unchecked. Enable it and try again. https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/ – Ananth Apr 01 '21 at 05:09

2 Answers2

11

It was necessary to enable public access on the bucket and then I was able to save the bucket policy.

This is the policy I was adding.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "myBucketarn"
    }
  ]
}
Tim
  • 31,888
  • 7
  • 52
  • 78
RLBChrisBriant
  • 595
  • 1
  • 7
  • 22
  • That doesn't sound quite right. The permission for updating a bucket policy is s3:PutBucketPolicy. – Tim Jan 19 '21 at 20:23
  • The policy in the answer is for public access. The policy in the question is the rights for the admin users. – RLBChrisBriant Jan 20 '21 at 18:11
4

When you try to allocate a bucket policy and it has "*" in the Principal, then it is required that "Block public access" setting should be disabled. Otherwise, you will get the error "After you or your AWS administrator have updated your permissions to allow the s3:PutBucketPolicy action, choose Save changes."

The problem in your original question was that you have put a policy which does not look like a bucket policy as there is no Principal in it.

You can very well put a bucket policy which has a specific ARN in Principal even without disabling "Block public access" setting.

Hope it helps!

Mayank Pandey
  • 56
  • 1