Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I make a S3 bucket public (the amazon example policy doesn't work)?

Amazon provides an example for Granting Permission to an Anonymous User as follows (see Example Cases for Amazon S3 Bucket Policies):

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

Within my policy I've changed "bucket" in ""arn:aws:s3:::bucket/" to "my-bucket".

However, once I try to access an image within a folder of that bucket, I get the following Access denied error:

This XML file does not appear to have any style information associated with it. The document tree is shown below.

(if I explicitly change the properties of that image to public, then reload its url, the image loads perfectly)

What am I doing wrong?


Update #1: Apparently it has something to do with a third party site that I've given access to. Although it has all of the permissions as the main user (me), and its objects are in the same folder, with the exact same permissions, it still won't let me make them publicly viewable. No idea why.

Update #2: Bucket policies do not apply to objects "owned" by others, even though they are within your bucket, see my answer for details.

like image 387
GoodGets Avatar asked Feb 13 '12 16:02

GoodGets


People also ask

How do I make my S3 bucket policy public?

To make the objects in your bucket publicly readable, you must write a bucket policy that grants everyone s3:GetObject permission. After you edit S3 Block Public Access settings, you can add a bucket policy to grant public read access to your bucket.

How do I fix an AWS S3 bucket policy and public permissions access denied error?

If you're denied permissions, then use another IAM identity that has bucket access, and edit the bucket policy. Or, delete and recreate the bucket policy if no one has access to it. If you're trying to add a public read policy, then disable the bucket's S3 Block Public Access.

Why S3 bucket should not be public?

It is recommended that AWS S3 buckets should not be publicly accessible to other users in AWS. Publicly accessible S3 bucket means that other AWS users can access your data stored in the bucket which can lead to misuse of the data.


3 Answers

Update

As per GoodGets' comment, the real issue has been that bucket policies to do not apply to objects "owned" by someone else, even though they are in your bucket, see GoodGets' own answer for details (+1).


Is this a new bucket/object setup or are you trying to add a bucket policy to a pre-existing setup?

In the latter case you might have stumbled over a related pitfall due to the interaction between the meanwhile three different S3 access control mechanisms available, which can be rather confusing indeed. This is addressed e.g. in Using ACLs and Bucket Policies Together:

When you have ACLs and bucket policies assigned to buckets, Amazon S3 evaluates the existing Amazon S3 ACLs as well as the bucket policy when determining an account’s access permissions to an Amazon S3 resource. If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.

While this sounds easy enough, unintentional interferences may result from the subtle different defaults between ACLs an policies:

With existing Amazon S3 ACLs, a grant always provides access to a bucket or object. When using policies, a deny always overrides a grant. [emphasis mine]

This explains why adding an ACL grant always guarantees access, however, this does not apply to adding a policy grant, because an explicit policy deny provided elsewhere in your setup would still be enforced, as further illustrated in e.g. IAM and Bucket Policies Together and Evaluation Logic.

Consequently I recommend to start with a fresh bucket/object setup to test the desired configuration before applying it to a production scenario (which might still interfere of course, but identifying/debugging the difference will be easier in case).

Good luck!

like image 170
Steffen Opel Avatar answered Nov 11 '22 04:11

Steffen Opel


Bucket policies do not apply files with other owners. So although I've given write access to a third party, the ownership remains them, and my bucket policy will not apply to those objects.

like image 21
GoodGets Avatar answered Nov 11 '22 04:11

GoodGets


I wasted hours on this, the root cause was stupid, and the solutions mentioned here didn't help (I tried them all), and the AWS s3 permissions docs didn't emphasize this point.

If you have Requester Pays setting ON, you cannot enable Anonymous access (either by bucket policy or ACL 'Everyone'). You can sure write the policies and ACL and apply them and even use the console to explicitly set a file to public, but a non signed url will still get a 403 access denied 100% of the time on that file, until you uncheck requester pays setting in the console for the entire bucket (properties tab when bucket is selected). Or, I assume, via some API REST call.

Unchecked Requester Pays and now anonymous access is working, with referrer restrictions, ect. In fairness, the AWS console does tell us:

While Requester Pays is enabled, anonymous access to this bucket is disabled.

like image 28
Jinn Avatar answered Nov 11 '22 05:11

Jinn