How can I resolve S3 bucket permission errors for configuring a Certificate Revocation List (CRL) with ACM Private CA?

Last updated: 2019-08-05

I attempted to create a certificate revocation list (CRL) to an Amazon Simple Storage Service (Amazon S3) bucket using the instructions for Creating a Private CA. However, I received an error similar to the following:

"An error occurred (ValidationException) when calling the CreateCertificateAuthority operation: The ACM Private CA Service Principal 'acm-pca.amazonaws.com' requires 's3:PutObject' and 's3:PutObjectAcl' permissions for your S3 bucket '[bucket]'. Check your S3 bucket permissions and try again."  

Resolution

AWS Certificate Manager (ACM) Private CA CRLs don't support the S3 setting "Block public access to buckets and objects granted through new access control lists (ACLs)". You must disable this setting with the S3 account and bucket in order to allow the ACM Private CA to write CRLs.

Disable "Block public access to buckets and objects granted through new access control lists (ACLs)" in your AWS account

  1. Sign in to the Amazon S3 console.
  2. Choose Block public access (account settings), and then choose Edit.
  3. Uncheck Block public access to buckets and objects granted through new access control lists (ACLs), and then choose Save.
  4. In the confirm field, enter "confirm", and then choose Confirm.

Disable "Block public access to buckets and objects granted through new access control lists (ACLs)" on the S3 bucket used for CRL

  1. Sign in to the Amazon S3 console.
  2. In Bucket name, choose the name of the bucket that you used for configuring CRL in ACM PCA.
  3. Choose Permissions, and then choose Edit.
  4. Uncheck Block public access to buckets and objects granted through new access control lists (ACLs), and then choose Save.
  5. In the confirm field, enter "confirm", and then choose Confirm.