How to set public read only access on Amazon S3 Bucket?

Question

I have found a couple of similar questions on StackOverflow like this one but they are quite old and it seems things have changed with S3 since then. They added these four settings which are quite confusing: If I turn these off, does it mean it makes my bucket writable by public? In addition I also added this policy:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "PublicReadForGetBucketObjects",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::REDACTED/*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::REDACTED:user/REDACTED"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::REDACTED",
            "arn:aws:s3:::REDACTED/*"
        ]
    }
]

and this CORS configuration:




    REDACTED
    GET
    POST
    PUT
    *

I am trying to give public read access and restrict full access to a user I created in IAM. I would appreciate if someone could confirm that my settings are correct or in case they are not point me to the resources I need to get it right.

John Rotenstein · Accepted Answer

To make objects publicly accessible, use a policy like this:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Note that use of "Principal": "*", which is different to your policy that uses "Principal": {"AWS": "*"}.

This allows objects to be accessed (GetObject), but the content of the bucket cannot be listed. That would require ListBucket permissions on the bucket itself (without the /*).

You will also need to turn off the two Block Public Access settings related to Bucket Policies.

How to set public read only access on Amazon S3 Bucket?

Answers (1)

Related Questions