Certified Security - Specialty

Sign Up Free or Log In to participate!

S3 Object Level Access Denied

I am trying to allow Public Access to an Object via ACL in a bucket which is Private however I am getting message Access Denied. Is the Bucket Level policy preventing any changes in underlying objects?

James Kelleher

I’m having the same issue. I just went through the steps again and noticed an alert message under the object heading "Public Access" that says "The block public access settings turned on for this bucket prevent granting public access." If I go back to the permissions for the bucket which is still set to "block all public access". Note that this button does not appear in the screen shots from the lesson. I updated the bucket by unchecking all of the "block public access fields". This allowed me to set an ACL at the object level. I was then able to access the object by clicking on the link. Looks like this lesson needs to be updated.

James Kelleher

Also note that after you deselect the four "Block Public Access" buttons the status of the S3 bucket does not got to "Public", it goes to "Objects can be public".

Sam R.

I reported that section of the video so hopefully they’ll update/fix it because it threw me off as well

3 Answers

Bucket Policy have priority over ACL policy

Hi,

When with multiple access control mechanisms come in to play, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

In accordance with the principle of least-privilege, decisions default to DENY and an explicit DENY always trumps an ALLOW. For example, if an IAM policy grants access to an object, the S3 bucket policies denies access to that object, and there is no S3 ACL, then access will be denied. 

Similarly, if no method specifies an ALLOW, then the request will be denied by default. Only if no method specifies a DENY and one or more methods specify an ALLOW will the request be allowed.

So it s is basically a combination of all the access control mechanisms. If your ACL or Bucket Policy are are set to Deny, then access will be denied.

There is a good diagram here, explaining this really well:

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

The content of the training needs to be updated to include that the " Block public access (bucket settings)" needs to be adjusted in order to even create an ACL which allows public access to an object. Otherwise you can not create it at all.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?