1 Answer
- Newest
- Most votes
- Most comments
1
Hello.
I was able to create an S3 bucket using the template below in my AWS account.
If the error content is "Access Denied", I thought that the IAM policy for creating S3 might not be attached to the IAM user.
By the way, can I create S3 if I deploy a CloudFormation template that creates S3 directly instead of from a nested stack?
Also, if you look at the CloudTrail event history, you can check the API event where the error occurred, so please check it.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"BucketName": {
"Type": "String",
"Description": ""
},
"GL": {
"Type": "String",
"Default": "",
"Description": "Tag"
},
"Owner": {
"Type": "String",
"Default": "",
"Description": "Tag Owner"
},
"ApID": {
"Type": "String",
"Default": "",
"Description": "Tag Application ID"
}
},
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Ref": "BucketName"
},
"AccessControl": "Private",
"Tags": [
{
"Key": "GBL",
"Value": {
"Ref": "GL"
}
},
{
"Key": "Owner",
"Value": {
"Ref": "Owner"
}
},
{
"Key": "ApplicationID",
"Value": {
"Ref": "ApID"
}
},
{
"Key": "Name",
"Value": {
"Ref": "BucketName"
}
}
],
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
}
}
}
},
"Outputs": {
"BucketName": {
"Description": "",
"Value": {
"Ref": "BucketName"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-BUCKET-NAME"
}
}
},
"ALBIPBUCKETNAME": {
"Value": {
"Ref": "S3Bucket"
}
}
}
}
Relevant content
- asked 17 days ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
PutBucketPublicAccessBlock is the event name shown in cloud trial, but i have s3 full access
Can I check the event history details to see if any errors have occurred? Is it possible to try directly deploying a CloudFormation template that creates S3 rather than a nested stack? Also, if your AWS account is managed by AWS Organizations, please check if there are any policies set such as SCP that block S3 creation.
Most likely, there's an SCP in the Organizations org that blocks PutBucketPublicAccessBlock from being called. Your organisation admins may have set the limitation to ensure no one creates publicly accessible buckets (even though in this case, you're trying to set the most restrictive setting at the bucket level). If that's so, then just remove the PBA settings from your template.