How to create correct S3 bucket policy to enable read access to a file only if they know the path

Question

My web app allows different user to upload different files. Currently putting them all in one bucket, something like:

A12345-Something.zip
B67890-Lorem.zip

A12345-... is file uploaded by user id A12345. B67890-... is file uploaded by user id B67890.

This is my S3 bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::xxxx/*"
        }
    ]
}

So far, this is all good, user A12345 can download the zip file by accessing https://xxxx.s3.ap-south-1.amazonaws.com/A12345-Something.zip

But the AWS interface gives me a warning that this bucket is a public bucket and it is highly recommended to not set it to public.

I am not sure but it is indeed very wrong if the policy above allows someone to list all objects from all users in my bucket and then access them one by one.

I think I need a policy that only allows reading a specific object if the full path is provided (assuming only that user will have access to that full path), but disallow listing of objects?

How should the policy looks like?

Answer 1

The policy you've specified allows someone to get all objects which means if they have the path they can retrieve that file publicly in the browser.

The permission ListObjects would be the permission that allows people to list all of the objects in your S3 bucket, this is not included.

If only specific users should be accessing this content, you should take a look at using signed URLs instead, this would prevent someone guessing or somehow gaining access to a link you do not want them to have.

This warning is in place to protect sensitive data being left exposed to the world, which is recent times has caused large volumes of private company data to be leaked.