Why did I receive an Amazon S3 GetBucketAcl permission error when updating my ACM Private Certificate Authority CRL configuration?

Last updated: 2022-06-08

I updated my AWS Certificate Manager (ACM) private certificate authority (CA) to configure a certificate revocation list (CRL). However, I received an error similar to the following:

"The ACM Private CA Service Principal 'acm-pca.amazonaws.com' requires 's3:GetBucketAcl' permissions."

How can I resolve this?

Short description

ACM Private CA places the CRL into an Amazon Simple Storage Service (Amazon S3) bucket that you designate for use. Your Amazon S3 bucket must be secured by an attached permissions policy. Authorized users and service principals require Put permission to allow ACM Private CA to place objects in the bucket, and Get permission to retrieve them.

For more information, see Access policies for CRLs in Amazon S3.

Resolution

Follow these instructions to replace the default Amazon S3 policy with the following less permissive policy.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket that you want to place the CRL in.

3.    Choose the Permissions tab.

4.    In Bucket policy, choose Edit.

5.    In Policy, copy and paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "acm-pca.amazonaws.com"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-crl-storage-bucket/*",
        "arn:aws:s3:::your-crl-storage-bucket"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account",
          "aws:SourceArn": "arn:partition:acm-pca:region:account:certificate-authority/CA_ID"
        }
      }
    }
  ]
}

Note: Replace the S3 bucket name, account ID, and ACM PCA ARN with your variables.

6.    Choose Save changes.

7.    Follow the instructions to encrypt your CRLs.

8.    Update the CA revocation configuration using the AWS CLI command update-certificate-authority similar to the following:

$ aws acm-pca update-certificate-authority --certificate-authority-arn <Certification_Auhtority_ARN> --revocation-configuration file://revoke_config.txt

The revoke_config.txt file contains revocation information similar to the following:

{
    "CrlConfiguration": {
        "Enabled": <true>,
        "ExpirationInDays": <7>,
        "CustomCname": "<example1234.cloudfront.net>",
        "S3BucketName": "<example-test-crl-bucket-us-east-1>",
        "S3ObjectAcl": "<BUCKET_OWNER_FULL_CONTROL>"
    }
}

Note:

  • If you have disabled the Block Public Access (BPA) feature in Amazon S3, then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
  • If you configured your CRL using the AWS Management Console, you might receive a "ValidationException" error. Repeat step 8 to update the CA revocation configuration using the AWS CLI.