24

I will appreciate if anyone can point me out where I'm doing wrong. see below steps

  1. I have a domain name in route53.

  2. Based on the domain name, I have created a bucket name ( for sake of my question lets stick to bucket and domain name as abc.nl)

  3. Created the bucket, without changing any default provided check-list.
  4. Clicked the bucket(abc.nl) and added below "bucket policy"
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567:user/usrname"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::abc.nl/*"
        }
    ]
}
  1. I have provided my username policy of AmazonS3FullAccess in IAM.
  2. My Block public access (account settings) also unchanged. Block public access (account settings)
  3. Now I uploaded my all static files to the bucket(abc.nl).
  4. In properties tab, I have added index.html under static website hosting block.

Now, as per the manual, I should able to click the link and access the page. But for some reason, it's throwing me 403 access forbidden error.

In my understanding, by simply adding bucket policy you turn on public access. But for me, I don't see "public" tag. So, don't know what's going on. (My understanding could be wrong, hence this post.)

In case you are wondering which manual, I'm following, https://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.htmlhow to host static web site.

Anyway, anyone points me out, where I'm doing wrong and which options should I choose from the permissions for the bucket? I could be missing out some lines.

PS: I have created and deleted the same bucket multiple times, just to start fresh every time.

change198
  • 1,647
  • 3
  • 21
  • 60

4 Answers4

29

The Principal value of your bucket policy is wrong. Copied from the Example: Setting up a Static Website Using a Custom Domain that you have linked to:

To grant public read access, attach the following bucket policy to the example.com bucket, substituting the name of your bucket for example.com.

{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
    "Effect":"Allow",
    "Principal": "*",
    "Action":["s3:GetObject"],
    "Resource":["arn:aws:s3:::example.com/*"]
  }]
}
matsev
  • 32,104
  • 16
  • 121
  • 156
12

To make the bucket public (= everyone), you need to set * as principal in your bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::abc.nl/*"
        }
    ]
}

Please also check that you don't have Block public access settings on the bucket because it will prevent you from making the bucket public.

jogold
  • 6,667
  • 23
  • 41
  • then I'm doing something wrong. I have provided bucket policy exactly you have mentioned, but when applied to save, I got "Access denied", so I have edited the policy like this. I should have mentioned it. Now I'm confused, which user shall I use to create bucket "IAM User Name" or " Root account credentials" both of them has same canonical ids? Then why Im hitting Access denied. – change198 May 21 '19 at 19:59
  • You got access denied because the block public access settings prevents your from making your bucket public. You need to disable it on this bucket. – jogold May 21 '19 at 20:01
  • I don't follow you. which buttons should be ticked ? is it global one or individual settings? – change198 May 21 '19 at 20:50
  • Disable it globally (account level) and if applicable on the bucket itself. You can of course enable this setting on other buckets that shouldn't be made public. – jogold May 21 '19 at 20:55
  • I would suggest only disabling it on a per-bucket basis (not globally), since its purpose is to protect you from accidentally making content public. Turn off the two options that mention Bucket Policy. – John Rotenstein May 21 '19 at 23:16
  • @JohnRotenstein are you sure this is possible? From the docs _These settings apply account-wide for all **current** and future buckets._ – jogold May 22 '19 at 15:09
  • 1
    **Oops, I was wrong!** Thank you @jogold. I had misunderstood the "account settings" options, thinking they were just setting default values. After a bit of experimentation, I can confirm that the account settings overrides individual buckets, allowing people to block public access in one click (which is nice and comforting). So, people will need to disable options at the "account settings" level first, then at the bucket level. I would recommend being careful which "account settings" options are turned off by understanding each option before simply deactivating them all. Thanks, @jogold! – John Rotenstein May 22 '19 at 21:05
4
{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::pasteyourbucketname(copy&pasteARNName)/*"
        }
    ]
}
Koray Tugay
  • 22,894
  • 45
  • 188
  • 319
Saurabh
  • 472
  • 6
  • 6
4

Follow the below Steps 100% working.

  1. Under Buckets, choose the name of your bucket.
  2. Choose Permissions.
  3. Under Bucket Policy, choose Edit.
  4. To grant public read access to your website, copy the following bucket policy, and paste it into the Bucket policy editor.

IMPORTANT NOTE: After YOUR BUCKET NAME is a slash with an asterisk (/*)

   {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "PublicReadGetObject",
          "Effect": "Allow",
          "Principal": "*",
          "Action": [
            "s3:GetObject"
          ],
          "Resource": [
            "arn:aws:s3:::**YOUR-BUCKET-NAME**/*"
          ]
        }
      ]
    }

NOTE: AWS documentation Link

oscar
  • 13
  • 4