AWS S3 Static Site Hosting ACLs and Permissions

Question

This is related to Host a static site on AWS S3 - granting read only access and AWS S3 Bucket Permissions - Access Denied , but since those answers it appears AWS has changed some of the ways to set up static website hosting.

I'm curious if I have access and permissions set up correctly and haven't left any security holes. I can access the static html files in the S3 bucket right now, so web access for the public works, and I upload files in the AWS web interface and not via the shell.

The AWS setup is fairly straightforward for a static site, but I want to check: do I have ACLs and permissions set up correctly for a static site?

1) The Properties Tab is set up for Static Web Site Hosting: "Bucket Hosting."

2) In the Permissions Tab,

a) Public access is:

b) In the Access Control List, there is access for the bucket owner, but no access for other AWS accounts or the public.

c) he Bucket Policy is flagged "Public" and the JSON is standard:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example.com/*"
        }
    ]
}

d) I have set no CORS configuration.

Answer 1

Yes, your policy and public access settings are correct for a site that intentionally makes all of its objects publicly accessible (read, but not list/write/delete) via the bucket policy.

Note that as a side effect of these correct settings, S3 will not return 404 Not Found if a nonexistent object is requested. It will instead return 403 Forbidden. There is no real workaround for this, because S3 considers an anonymous requester to be unauthorized to determine why the object can't be downloaded (could be due to non-existence or could be some other reason) unless s3:ListBucket is also granted, and you don't want to do that.