Hints — S3 Access - Lab 01
Open each hint only after you’ve spent time investigating on your own.
Hint 1 — Where to look
Open the S3 console, navigate to your bucket, and examine the Permissions tab.
Hint 2 — What to look for
On the Permissions tab, look at two things side by side:
- The Block public access (bucket settings) section
- The Bucket policy section
What is in the Bucket policy section? What do the Block Public Access settings show?
Hint 3 — The conflict
The Bucket policy section is empty — there is no policy granting public access.
One of the four Block Public Access flags is enabled: Block public policy
(BlockPublicPolicy: true). When this flag is on, S3 rejects any attempt to save a
bucket policy that grants public access. The policy was never able to be applied.
Without a public bucket policy, all unauthenticated requests return 403 Access Denied.
Spoiler Alert — Full Solution
Root cause: BlockPublicPolicy is set to true, which prevented a public bucket
policy from being saved. Without the policy, there is nothing granting public read
access to objects in the bucket.
Fix via AWS Console
Step 1 — Disable Block public policy
- Open the S3 console and select your bucket
- Click the Permissions tab
- Under Block public access (bucket settings), click Edit
- Uncheck Block public policy
- Click Save changes, type
confirm, and click Confirm
Step 2 — Add the bucket policy
- On the Permissions tab, scroll to Bucket policy and click Edit
- Paste the following policy, replacing
BUCKET-NAMEwith your bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
}
]
}- Click Save changes
- Retry the
BucketURLfrom the stack Outputs — it should now load