AWS S3 : access denied to object while "bucket block public access" is off

1
votes

I am new to AWS. I am saving file to AWS from my Java Application. The file is being saved in the bucket, no problem with that. But the real problem is starting when trying to access them. Every time getting :

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>8B350BEBBDF0386B</RequestId>
<HostId>77cB7pybpshSC7TfDilGiPHvKfd91wI24iQJ8ach7jLIBuqOeB+hfDz7soLE1p0ZqrUyoRqgPCw=</HostId>
</Error>

I have checked the AWS setting, both my bucket and object is public. I have searched in the internet, most of the solution is talking about make ACL public, I think i already did that.

Bucket Policy:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "Allow-OAI-Access-To-Bucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*"
        },
        {
            "Sid": "Allow-Public-Access-To-Bucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*"
        },
        {
            "Sid": "Access-to-specific-VPCE-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-1a2b3c4d"
                }
            }
        }
    ]
}

account level public access.

enter image description here

Object Level ACL public access.

Bucket is public

While permission has given to public, i am understanding why it is giving Access Denied Error.

1
amazon-web-servicesamazon-s3
There are two levels of "Block public access". Account level and bucket level. Did you disable both of them? - Marcin
@Marcin are you talking about bucket policy? - Black Swan
The last screenshot shows "Block public access". - Marcin
@Marcin yes last screen shoot : all block is off. - Black Swan
@Marcin thanks man, now i am getting my objects. - Black Swan

1 Answers

0
votes

Based on the comments.

The bucket policy contains explicit deny statement, which prohibits any access to the objects from outside of a given VPC (including no access from internet):

        {
            "Sid": "Access-to-specific-VPCE-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxxxxxbucket/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-1a2b3c4d"
                }
            }
        }

Thus, to make the objects publicly accessible over the internet for the website, the statement should be removed.