s3.Bucket: CDK Deploy: s3:PutBucketPolicy Access Denied

[0xdevalias]

Describe the bug

When creating a new S3 bucket with publicReadAccess set to true:

const siteBucket = new Bucket(this, 'SiteBucket', {
  // ..snip..
  publicReadAccess: true,
  // ..snip..
})

Since the new AWS defaults on public buckets:

• https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/

Attempting to deploy the stack will fail with an error like this:

CREATE_FAILED        | AWS::S3::BucketPolicy                | SiteBucketPolicy3AC1D0F8
API: s3:PutBucketPolicy Access Denied

Expected Behavior

Given this seems to be incompatible with the new defaults on AWS, I would expect that this should do some measure of:

• Throw a TypeScript error as a disallowed combination of keys
• Throw an actual runtime error + explain how to resolve it
• Automagically set/default the underlying permissions/control policies/etc so that the code continues to 'just work' as expected; without needing to know the depths and intrinsic relations of the various settings to one another
• Etc

Current Behavior

See above

Reproduction Steps

Deploy a stack with a new S3 Bucket with publicReadAccess set to true.

Possible Solution

See above + the solutions given on the following:

• https://www.reddit.com/r/aws/comments/12tqqpw/aws_cdk_api_s3_putbucketpolicy_access_denied_and/
• ‼️ NOTICE: new S3 Buckets trying to use ACLs fail to create if not explicitly opted in #25358

Additional Information/Context

Both of these are the same issue, but those users closed them prematurely as 'user issues', when in fact the CDK should more explicitly and correctly handle this situation:

• CDK Deploy: s3:PutBucketPolicy Access Denied when deploying static site #25231
• S3 Bucket with public read access fails to create #3102

This Reddit thread also contains a number of people who hit this same issue:

• https://www.reddit.com/r/aws/comments/12tqqpw/aws_cdk_api_s3_putbucketpolicy_access_denied_and/

This is also the same root issue I believe, yet it mistakenly claims that it should be fixed from aws-cdk-lib >=2.77.0, but it seems to miss the edge case of the publicReadAccess key being set to true creating a AWS::S3::BucketPolicy:

• ‼️ NOTICE: new S3 Buckets trying to use ACLs fail to create if not explicitly opted in #25358

You can also see my full original notes on this comment:

• ‼️ NOTICE: new S3 Buckets trying to use ACLs fail to create if not explicitly opted in #25358 (comment)

These sections of the docs may also be relevant:

• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3-readme.html#block-public-access
• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3-readme.html#object-ownership

CDK CLI Version

2.84.0

Framework Version

2.84.0

Node.js Version

v16.15.1

OS

macOS Ventura 13.3.1

Language

Typescript

Language Version

No response

Other information

N/A

[pahud]

Yes this makes sense to me. We should improve the user experience in this use case. I am making it a feature request and any pull request would be highly welcome and appreciated.

[0xdevalias]

Not saying I will have capacity to look at implementing this, but a few initial code references/exploration for future me, or anyone who feels like improving this DX.

---

From #25358

If you meet any of the following criteria then you are not affected and can stop reading:

You are using aws-cdk-lib >= 2.60.0, the feature flag @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy: true is set, and you are not using CloudFront logging; OR
You are using aws-cdk-lib >= 2.77.0

Looking at the CHANGELOG v2

• I didn't see any entries for 2.60.0 that seemed to obviously relate to this bug, despite it apparently being the first version where a fix was possible (via feature flag)
• For 2.77.0 the following entries seem relevant

  • log buckets don't have acls enabled (#25303) (0e9440b), closes #25288

    • s3: breaking change, cannot create bucket anymore, InvalidBucketAclWithObjectOwn #25288
      • fix: log buckets don't have acls enabled #25303

  • cloudfront: can't create the default log bucket (#25298) (0eb25f2), closes /docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3 #25288 #25291

    • s3: breaking change, cannot create bucket anymore, InvalidBucketAclWithObjectOwn #25288
      • fix(cloudfront): can't create the default log bucket  #25298

Some relevant references/snippets from those issues/PRs:

I believe we should improve the property validation in L2 Bucket construct to improve better user experience.

Originally posted by @pahud in #25288 (comment)

Set ObjectOwnership: ObjectWriter automatically if and only if:

• It is not provided by the user
• AccessControl ACLs are configured (only if AccessControl != PRIVATE)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

ObjectWriter was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement.

Originally posted by @MrArnoldPalmer in #25303

In #25303, changes were made to:

• https://github.com/aws/aws-cdk/pull/25303/files
  • packages/aws-cdk-lib/aws-s3/lib/bucket.ts
    • Added the objectOwnership property to BucketBase (but seemingly not IBucket?)
    • Makes some changes to how ownershipControls and parseOwnershipControls work
      • ⚠️ I would need to look / think deeper about how the code here is used.. but at first glance, this sounds like it could be a relevant place to be adding functionality to fix this PR maybe?
  • packages/aws-cdk-lib/aws-s3/test/bucket.test.ts
  • packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts

Starting from April 2023, all newly created S3 buckets by default have S3 Block Public Access enabled and access control lists (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the ObjectOwnership property to ObjectWriter that allows the default log bucket to be successfully created.

Originally posted by @pahud in #25298

In #25298, changes were made to:

• packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts

  • Make sure to set objectOwnership to s3.ObjectOwnership.OBJECT_WRITER in your custom bucket.

    • This was added as a comment.. but it doesn't look like it's enforced in any types/etc.. I wonder if that can be made better?
    • Added objectOwnership: s3.ObjectOwnership.OBJECT_WRITER, to the logBucket created
• packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts

• packages/aws-cdk-lib/aws-cloudfront/README.md

• packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.ts
• packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/ (multiple files)
• packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.js.snapshot/ (multiple files)

---

Based on the above exploration, I think looking at parseOwnershipControls in packages/aws-cdk-lib/aws-s3/lib/bucket.ts would be a good place to start:

• aws-cdk/packages/aws-cdk-lib/aws-s3/lib/bucket.ts

  Lines 2233 to 2255 in 4c9016a

  	private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined {
  	// Enabling an ACL explicitly is required for all new buckets.
  	// https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
  	const aclsThatDoNotRequireObjectOwnership = [
  	BucketAccessControl.PRIVATE,
  	BucketAccessControl.BUCKET_OWNER_READ,
  	BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
  	];
  	const accessControlRequiresObjectOwnership = (this.accessControl && !aclsThatDoNotRequireObjectOwnership.includes(this.accessControl));
  	if (!this.objectOwnership && !accessControlRequiresObjectOwnership) {
  	return undefined;
  	}
  	if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {
  	throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`);
  	}
  	return {
  	rules: [{
  	objectOwnership: this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER,
  	}],
  	};
  	}

Without thinking about it too deeply, I think it might be relevant to add another check within this function (similar to accessControlRequiresObjectOwnership) for whether publicReadAccess is set to true, and if so, also require objectOwnership to be set to ObjectOwnership.OBJECT_WRITER.

I haven't looked too deeply to see if there are other cases throughout the CDK where there are other features that would cause this to need to be configured.

I also feel like we could potentially do something useful with the TypeScript types to pre-emptively inform the user that they are trying to do an invalid thing if they try and explicitly set objectOwnership to a value that is incompatible with:

• the provided accessControl setting
• the provided publicReadAccess setting
• etc

[MrArnoldPalmer]

I also feel like we could potentially do something useful with the TypeScript types to pre-emptively inform the user that they are trying to do an invalid thing if they try and explicitly set objectOwnership to a value that is incompatible with:

I don't think there is a great way to do this, usually we do this type of mutual exclusivity by manually detecting conflicting values and then throwing an error. That being said.

whether publicReadAccess is set to true, and if so, also require objectOwnership to be set to ObjectOwnership.OBJECT_WRITER.

Should we detect of publicReadAccess is set to true and then set objectOwnership ourselves? or should we throw and error and require the user to set it? The former seems to be easiest for the user and likely is what they expect.

[0xdevalias]

Should we detect of publicReadAccess is set to true and then set objectOwnership ourselves? or should we throw and error and require the user to set it? The former seems to be easiest for the user and likely is what they expect.

@MrArnoldPalmer I think handling it for the user if they only specified publicReadAccess is definitely the better way, and in line with the existing patterns (Ref)

BUT, with the caveat that if they explicitly try to set the other 1-2 related properties to an invalid value (thus overriding the defaults), I would expect it to have a runtime error (which is in line with the existing patterns (Ref)), but also to give that guidance to me at 'dev time' through the TypeScript types.

[0xdevalias]

Does someone has a working solution to deploy a public S3 bucket with CDK ?

@Aarbel Did you look at the stuff in #25983 ?

Eg. From the background research I did on that issue, I linked to this PR:

• https://github.com/aws/aws-cdk/pull/25298/files#diff-eb324dbbf7e94ba7a47c05856234f5d7dc4e678fd9a582d3450c1679836eeddd

Which seemed to just be able to add objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,

So I suspect the solution may be as simple as:

new s3.Bucket(this, 'Bucket', {
  publicReadAccess: true,
  objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
})

But I haven't explicitly tested it.

That's also based on this:

• ‼️ NOTICE: new S3 Buckets trying to use ACLs fail to create if not explicitly opted in #25358

  • Before April 2023, the default was to create new buckets with ObjectOwnership: ObjectWriter, which means it is possible to configure ACLs on the buckets and on objects by default.
    In April 2023, S3 has changed the default to ObjectOwnership: BucketOwnerEnforced, which means it is no longer possible to configure ACLs on the buckets and on objects by default.

Which to me, implies that just explicitly setting objectOwnership to the old default of s3.ObjectOwnership.OBJECT_WRITER sounds like it should restore the previous functionality.

We can see here that parseOwnershipControls will automatically set objectOwnership to OBJECT_WRITER when accessControl is set to a value that requires it:

• aws-cdk/packages/aws-cdk-lib/aws-s3/lib/bucket.ts

  Lines 2233 to 2255 in 4c9016a

  	private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined {
  	// Enabling an ACL explicitly is required for all new buckets.
  	// https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
  	const aclsThatDoNotRequireObjectOwnership = [
  	BucketAccessControl.PRIVATE,
  	BucketAccessControl.BUCKET_OWNER_READ,
  	BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
  	];
  	const accessControlRequiresObjectOwnership = (this.accessControl && !aclsThatDoNotRequireObjectOwnership.includes(this.accessControl));
  	if (!this.objectOwnership && !accessControlRequiresObjectOwnership) {
  	return undefined;
  	}
  	if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {
  	throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`);
  	}
  	return {
  	rules: [{
  	objectOwnership: this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER,
  	}],
  	};
  	}

Though if that doesn't work, then this Reddit answer suggests this:

const bucket = new s3.Bucket(this, 'WebsiteBucket', {
  // your other bucket configurations
  publicReadAccess: true,
  blockPublicAccess: new s3.BlockPublicAccess({
    blockPublicAcls: false,
    ignorePublicAcls: false,
    blockPublicPolicy: false,
    restrictPublicBuckets: false,
  }),

We can see what each of the blockPublicAccess items does here:

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-options

Originally posted by @0xdevalias in #25358 (comment)

[0xdevalias]

Following up my above comment, I actually tested all of the various cdk synth output for each of the proposed options, which should give a better idea of what the current impacts are in cdk 2.84.0, and what should be changed here to properly fix things:

Edit: To add some more 'concrete evidence' (rather than assumptions) of what each of these options does (on CDK 2.84.0), here are the relevant outputs for each from cdk synth. Diff highlighting based on difference from 'Option 1':

Option 1:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
})

TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Option 2:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
+ objectOwnership: ObjectOwnership.OBJECT_WRITER,
})

TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Option 3:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
+ blockPublicAccess: new BlockPublicAccess({
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ }),
})

TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Option 4:

new Bucket(this, 'TestPublicBucket', {
- publicReadAccess: true,
+ blockPublicAccess: {
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ },
+ accessControl: BucketAccessControl.PUBLIC_READ,
})

TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   AccessControl: PublicRead
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
-TestPublicBucketPolicyB64BAA28:
-  Type: AWS::S3::BucketPolicy
-  Properties:
-    Bucket:
-      Ref: TestPublicBucket87623E53
-    PolicyDocument:
-      Statement:
-        - Action: s3:GetObject
-          Effect: Allow
-          Principal:
-            AWS: "*"
-          Resource:
-            Fn::Join:
-              - ""
-              - - Fn::GetAtt:
-                    - TestPublicBucket87623E53
-                    - Arn
-                - /*
-      Version: "2012-10-17"

Option 5:

new Bucket(this, 'TestPublicBucket', {
- publicReadAccess: true,
+ blockPublicAccess: {
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ },
+ accessControl: BucketAccessControl.PUBLIC_READ,
+ objectOwnership: ObjectOwnership.OBJECT_WRITER,
})

TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   AccessControl: PublicRead
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
-TestPublicBucketPolicyB64BAA28:
-  Type: AWS::S3::BucketPolicy
-  Properties:
-    Bucket:
-      Ref: TestPublicBucket87623E53
-    PolicyDocument:
-      Statement:
-        - Action: s3:GetObject
-          Effect: Allow
-          Principal:
-            AWS: "*"
-          Resource:
-            Fn::Join:
-              - ""
-              - - Fn::GetAtt:
-                    - TestPublicBucket87623E53
-                    - Arn
-                - /*
-      Version: "2012-10-17"

Option 6:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
+ blockPublicAccess: {
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ },
+ accessControl: BucketAccessControl.PUBLIC_READ,
+ objectOwnership: ObjectOwnership.OBJECT_WRITER,
})

TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   AccessControl: PublicRead
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Based on the above, I think the full command (until #25983 is fixed) might actually be:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
  blockPublicAccess: {
    blockPublicAcls: false,
    ignorePublicAcls: false,
    blockPublicPolicy: false,
    restrictPublicBuckets: false,
  },
  accessControl: BucketAccessControl.PUBLIC_READ,
  objectOwnership: ObjectOwnership.OBJECT_WRITER,
})

Though due to the helpers already implemented in parseOwnershipControls, I think we can currently drop objectOwnership and so probably get away with just:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
  blockPublicAccess: {
    blockPublicAcls: false,
    ignorePublicAcls: false,
    blockPublicPolicy: false,
    restrictPublicBuckets: false,
  },
  accessControl: BucketAccessControl.PUBLIC_READ,
})

Originally posted by @0xdevalias in #25358 (comment)

[Aarbel]

For anybody who finds this issue, here what worked for us with cdk 2.83.1:

• double every .grantWrite and .grantReadWrite function with grantPutAcl, cf other issue .aws-cdk-lib/aws_s3: bucket.grantReadWrite missing PutObject* actions #18669

Example

bucket.grantWrite(workerNodejsFunction);
bucket.grantPutAcl(workerNodejsFunction);

• Define well bucket props to force Acl (legacy) use

Example

    this.publicAssetsBucket = new s3.Bucket(
      this,
      "myBucket",
      {
        blockPublicAccess: new s3.BlockPublicAccess({
          blockPublicAcls: false,
          blockPublicPolicy: false,
          ignorePublicAcls: false,
          restrictPublicBuckets: false,
        }),
        objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
        ...
      }
    );

[ChenKuanSun]

Screen.Recording.2023-07-28.at.04.21.28.mov

I've also encountered this issue. I believe we should alert the user to set blockPublicAccess during development, rather than encountering an error at runtime. Thus, I've written a type check for this. If everyone agrees, I will open a PR.

[rectalogic]

So we used to create a bucket like this:

s3.Bucket(
    self, "Bucket",
    public_read_access=True,
    enforce_ssl=True,
    removal_policy=RemovalPolicy.DESTROY,
)

After discussing this with AWS support, the correct way to create a bucket with the same permissions now, is:

s3.Bucket(
    self, "Bucket",
    public_read_access=True,
    block_public_access=s3.BlockPublicAccess(
        block_public_acls=False,
        block_public_policy=False,
        ignore_public_acls=False,
        restrict_public_buckets=False,
    ),
    object_ownership=s3.ObjectOwnership.OBJECT_WRITER,
    enforce_ssl=True,
    removal_policy=RemovalPolicy.DESTROY,
)

[awhillas]

Thanks @rectalogic ! But this is ugly! the whole point of using CDk is that there are sensible defaults for all of these permissions. Ether make this stuff default when public_read_access=True is set or make a new s3 object that does this and recommend this for ppl who don't care about fine grained control of permissions!

[mattbbc]

I am still unable to get this to work unless I disable account-level public access block, and I'm not sure I really want to do that. I've tried various of the above permutations, including trying to append a bucket policy after bucket creation in the code, but I keep getting access denied errors at the bucket policy creation point. I would be interested to know if those that got it to work had disabled the account-level block on S3 buckets or not.

[AllanOricil]

jesus. I just wanted to make a static web page hosted on an s3 bucket. Thank you everyone for your help.

[kitsunekyo]

in case someone else wastes a full day due to this change:

adding blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS, is enough

const websiteBucket = new s3.Bucket(this, "WebsiteBucket", {
  websiteIndexDocument: "index.html",
  publicReadAccess: true,
  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS,
});

"aws-cdk-lib": "2.140.0"

would be great if someone at aws would update the docs:
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3_deployment-readme.html

[AllanOricil]

Another thing that I noticed yesterday is that the "bucket policy" that grants the Cloudfront Origin Access identity (Cloudfront special user) access to the bucket objects (s3:GetObject) isn't being added to the bucket. Even when you declare the following in your CDK. The diff command is also not showing that this is going to be created.

    staticSiteBucket.grantRead(staticSiteOriginAccessIdentity);

    // NOTE: THIS IS REQUIRED EVEN WITH THE ABOVE LINE
    staticSiteBucket.addToResourcePolicy(
      new iam.PolicyStatement({
        actions: ["s3:GetObject"],
        resources: [staticSiteBucket.arnForObjects("*")],
        principals: [
          new iam.CanonicalUserPrincipal(
            staticSiteOriginAccessIdentity.cloudFrontOriginAccessIdentityS3CanonicalUserId
          ),
        ],
      })
    );

With the aforementioned lines, I was expecting to see this policy in the S3 Bucket, but they arent being created.

To get the Cloudfront Origin Access Identity ID I had to go to cloudformation and expand the list of resources of my stack.