Reputation: 886
I have found a couple of similar questions on StackOverflow like this one but they are quite old and it seems things have changed with S3 since then. They added these four settings which are quite confusing:
If I turn these off, does it mean it makes my bucket writable by public?
In addition I also added this policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::REDACTED/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:user/REDACTED"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::REDACTED",
"arn:aws:s3:::REDACTED/*"
]
}
]
and this CORS configuration:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>REDACTED</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I am trying to give public read access and restrict full access to a user I created in IAM. I would appreciate if someone could confirm that my settings are correct or in case they are not point me to the resources I need to get it right.
Upvotes: 15
Views: 22114
Reputation: 270114
To make objects publicly accessible, use a policy like this:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PublicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
Note that use of "Principal": "*"
, which is different to your policy that uses "Principal": {"AWS": "*"}
.
This allows objects to be accessed (GetObject
), but the content of the bucket cannot be listed. That would require ListBucket
permissions on the bucket itself (without the /*
).
You will also need to turn off the two Block Public Access settings related to Bucket Policies.
Upvotes: 44