CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
Aeton
Aeton

Reputation: 69

AWS S3 ACL Permissions

So my bucket was and is still functioning correctly, I'm able to upload images through the API with no issues. However, I was messing around with the user policy and I made a change to the Resource for my User Policy and this caused some settings to change.

{
 "Version": "2012-10-17",
 "Statement": [
{
  "Sid": "Stmt1420751757000",
  "Effect": "Allow",
  "Action": [
    "s3:*"
  ],
  "Resource": CHANGE MADE HERE
}
]
}

When I try to upload an image through my AWS account (not using the API), then the ACL public access is private by default. I tried changing my Policy version back to what I had, but no change. I am pretty inexperienced with S3, so if I'm missing crucial info regarding this issue I can provide it.

Upvotes: 0

Views: 1043

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 270154

If you want all objects to be public, then you should use a Bucket Policy.

This should typically be limited to only allowing people to download (Get) an object if they know the name of the object. You can use this Bucket Policy (which goes on the bucket itself):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET-NAME/*"
            ]
        }
    ]
}

This policy is saying: "Allow anyone to get an object from this bucket, without knowing who they are"

It does not allow listing of the bucket, upload to the bucket or deleting from the bucket. If you wish to do any of these operations, you would need to use your own credentials via an API call or using the AWS CLI.

For examples of bucket policies, see: Bucket policy examples - Amazon Simple Storage Service

Your IAM User should probably have a policy like this:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect": "Allow",
         "Action": "s3:*",
         "Resource": "*"
         "Resource": [
             "arn:aws:s3:::YOUR-BUCKET-NAME",
             "arn:aws:s3:::YOUR-BUCKET-NAME/*"
         ]
      }
   ]
}

This is saying: "Allow this IAM User to do anything in Amazon S3 to this bucket and the contents of this bucket"

That will grant you permission to do anything with the bucket (including uploading, downloading and deleting objects, and deleting the bucket).

For examples of IAM Policies, see: User policy examples - Amazon Simple Storage Service

Upvotes: 3

Related Questions