0

Amazon s3 I have created a bucket and set cloudwatch.Logs are being generated for audit and trace. But with s3, able to share individual file download links only. Any option to set complete bucket /folder to public and users can access that? I tried updating bucket policy but no use.

Policy I tried.

{
  "Id": "Policy1397632521960",
  "Statement": [
    {
      "Sid": "Stmt1397633323327",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucketnm/*",
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

But still below issue.

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>C3A5489DCEA8A2EA</RequestId>
<HostId>qjKSgWX6fnyPlAiCgq0RxxqK2ZEHZqEewahAlsdIAgznNRmezwif6NoP67FD9ysuH1psi4lO4m8=</HostId>
</Error>
John Rotenstein
  • 165,783
  • 13
  • 223
  • 298
uday kiran
  • 57
  • 8
  • create a bucket IAM policy – petrch Feb 17 '21 at 12:47
  • I tried the policy in this link, https://stackoverflow.com/questions/19176926/how-to-make-all-objects-in-aws-s3-bucket-public-by-default/23102551#23102551 First answer. But still same error. – uday kiran Feb 17 '21 at 13:02
  • ok, when you open the Policy tab on the s3 bucket, what is in the "Block public access" section? – petrch Feb 17 '21 at 13:19
  • it is unchecked – uday kiran Feb 17 '21 at 13:25
  • 1
    Reading https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html I think your setup is what you need, only this: "You can use a bucket policy to grant public read permission to your objects. However, the bucket policy applies only to objects that are owned by the bucket owner. If your bucket contains objects that aren't owned by the bucket owner, the bucket owner should use the object access control list (ACL) to grant public READ permission on those objects." - owner = account id, it would be your case only if you uploaded from a different AWS account. – petrch Feb 17 '21 at 13:56
  • "Resource": "arn:aws:s3:::/*" are you using your bucket name? – Jatin Mehrotra Feb 17 '21 at 13:58
  • yes, I am using my bucket name only – uday kiran Feb 17 '21 at 16:16
  • petrch has mentioned a common issue in cross-account scenarios, did you verify the owner of the objects you want to publish? – Maurice Feb 17 '21 at 16:46
  • yeah it is a new bucket created from my account only. – uday kiran Feb 17 '21 at 16:48
  • @udaykiran How is the object being accessed? Is it via a browser URL (where are you getting the URL), or an API call? Firstly, I would recommend against making log information public since it can reveal details about your infrastructure. Secondly, you have granted access to any AWS entity (`"Principal":{"AWS":["*"]}`), which is not quite "public". To be public, you would use `"Principal":"*"`. – John Rotenstein Feb 17 '21 at 21:22
  • Hi John, still same – uday kiran Feb 18 '21 at 19:08

0 Answers0