AWS S3: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting) – Amazon-web-services

The Solutions:

Solution 1: Create a bucket with ACL `public-read` option:

#!/bin/bash

bucket_name="my-unique-name"

aws s3api create-bucket --bucket "${bucket_name}" > /dev/null # 1
aws s3api put-public-access-block --bucket "${bucket_name}" --public-access-block-configuration "BlockPublicPolicy=false" # 2
`aws s3api put-bucket-policy –bucket "$" –policy ‘{
"Version": "2012-10-17",
"Statement": [
{
"Id": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::’"$"’/"

        ]
    }
]

}’ # 3`

What changed?

1. Since 25.04.2023, Amazon changed default settings for newly created buckets. ACLs on buckets were considered a wrong practice and the ObjectOwnerEnforced option started to be the default one.

ObjectOwnerEnforced – Access control lists (ACLs) are disabled and no longer affect access. The bucket owner automatically has full control over every object in the bucket. The bucket only accepts PUT requests that don’t specify an ACL or bucket owner full control ACLs, such as the bucket-owner-full-control canned ACL or an equivalent form of this ACL expressed in the XML format.

2. Without BlockPublicPolicy, you won’t be able to set public access to the bucket. For public-read ACL (not 100% sure), make sure RestrictPublicBuckets is set to false as well.

3. For public or write ACL, the policy needs to be changed accordingly (PutObject).

Of course, nothing stops you from using ACLs. You need to set ObjectOwner or ObjectWriter for your bucket.

$ s3api put-bucket-ownership-controls --bucket "${bucket_name}" --ownership-controls="Rules=[{ObjectControls=ObjectOwner}]"
$ s3api put-bucket-acl --bucket "${bucket_name}" --acl public-read

Solution 2: Use PublicAccessBlockConfiguration and OwnershipControls

Update your bucket configuration to include the following settings:

PublicAccessBlockConfiguration:
  BlockPublicAcls: false
OwnershipControls:
  Rules:
    - ObjectOwnership: ObjectWriter

These settings will disable public ACLs and enable bucket owner enforced object ownership. This should resolve the error you are encountering.

Refer to the AWS documentation for more information on PublicAccessBlockConfiguration and OwnershipControls.

Solution 3: Enable ACLs and Choose `ObjectWriter`

To resolve this issue, enable ACLs for your S3 bucket and select ObjectWriter as the object ownership setting. This will allow you to continue using ACLs for your bucket while complying with the new AWS S3 default security settings.

If you are using CloudFormation to create or update your bucket, you will need to remove the following line from your template:

AccessControl: PublicRead

Additionally, add the following to your template to enable object ownership and set ObjectOwnership to ObjectWriter:

OwnershipControls:
  Rules:
    - ObjectOwnership: ObjectWriter

Solution 4:

The provided CloudFormation template sets up a bucket policy to enable public access to the bucket and its objects. It includes two policy statements:

1. The first statement allows public access to objects in the bucket with the `s3:GetObject` action.
2. The second statement grants permission to list the bucket’s contents with the `s3:ListBucket` action.

The `s3:ListBucket` action is crucial in this context because a bucket must be publicly listable for applications to access its objects using paths, as needed for React Router. The CloudFormation template ensures that the bucket is publicly listable in addition to enabling public access to its objects.

Initially, when creating the stack with CloudFormation, using the `PublicRead` ACL may not be allowed. However, on subsequent attempts, the `PublicRead` ACL can be enabled, achieving the same result as the CLI command suggested in the previous answer.

Video Explanation: