Lab 05 - S3 Bucket Policy
Difficulty: Beginner Service: Amazon S3
Scenario
Your team hosts a static website in S3. The bucket and policy were set up by a colleague and the stack deployed without errors — but every request to the site returns 403 Access Denied. The file is in the bucket. Something in the configuration is wrong.
What Was Deployed
| Resource | Purpose |
|---|---|
AWS::S3::Bucket |
S3 bucket with public access block partially disabled |
AWS::S3::BucketPolicy |
Bucket policy controlling public access to index.html |
The stack deployed without errors. The bucket exists, the file is uploaded, and a bucket policy is in place.
Deploy the Lab
- Open the AWS CloudFormation console
- Click Create stack > With new resources (standard)
- Select Upload a template file and upload lab-05-explicit-deny.yaml
- Enter a stack name (e.g.,
brokenlabs-lab-05) and click Next > Next > Submit - Wait for the stack status to reach CREATE_COMPLETE
- Open the stack Outputs tab — you will see
BucketNameandBucketURL
The Problem
Open the BucketURL from the stack Outputs in your browser.
Expected: the page displays the AWS Broken Labs welcome page. Actual: the browser returns an XML error:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>EEN63HXBJD24G08R</RequestId>
<HostId>
ZW2Wpr64vuzJ+qbQAAwHhKHVzSzDp39z6q8u4wfzfNjxJPkse0Q2bSH9AiYQPYtmw2cIosmLDTGkY+41XAPNZ10UvZfoOeNl
</HostId>
</Error>
The bucket exists and the file is in it. A bucket policy is in place.
Fix the Lab
Investigate the bucket policy and determine why access is being denied.
Need help? Open hints for progressive hints.
Cleanup
- Open CloudFormation, select your stack, and click Delete