Hints — S3 Bucket Policy - Lab 05
Open each hint only after you’ve spent time investigating on your own.
Hint 1 — Where to look
The bucket exists and the file is in it. The issue is in how access is being controlled.
Open the S3 console, navigate to your bucket, and open the Permissions tab. What does the bucket policy say?
Hint 2 — Read the policy carefully
A bucket policy can contain more than one statement. Each statement has an Effect
of either Allow or Deny.
How many statements are in this policy? What does each one do?
Hint 3 — How AWS evaluates policies
In AWS, an explicit Deny always wins — even if another statement in the same
policy grants Allow for the same action.
Is there a statement in this policy that could be overriding the Allow?
Spoiler Alert — Full Solution
Root cause: The bucket policy contains two statements for s3:GetObject:
one Allow and one Deny, both applying to all principals (*). AWS always
evaluates an explicit Deny before any Allow — so the Deny wins, and every
request is blocked regardless of the Allow statement.
To fix the policy:
- Open the S3 console and navigate to your bucket
- Open the Permissions tab and scroll to Bucket policy
- Click Edit
- Find the statement with
"Effect": "Deny"and delete it (leave theAllowstatement in place) - Click Save changes
- Open the
BucketURL— the AWS Broken Labs welcome page should now load