Menu
I am using S3 to store some business critical documents. I want the bucket to return a 404 status code when trying to access an object that does not exist in the bucket.
However, I am finding that it keeps on returning me "403
here is an example of a session using the S3 website url.
> GET /foobar.txt HTTP/1.1 > User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3 > Host: <bucketname>.s3-website-us-east-1.amazonaws.com > Accept: */* > < HTTP/1.1 403 Forbidden < Last-Modified: Mon, 09 Sep 2013 19:10:28 GMT < ETag: "14e13b81b3ce5b129d1f206b3e514885" < x-amz-error-code: AccessDenied < x-amz-error-message: Access Denied < x-amz-request-id: <snip> < x-amz-id-2: <snip> < Content-Type: text/html < Content-Length: 11 < Date: Thu, 26 Sep 2013 20:01:45 GMT < Server: AmazonS3 < Not found! Note, the "Not Found!" string is coming from the error document set on the bucket properties when enabling S3 website hosting.
I have also tried accessing using the bucket url directly
http://.s3.amazonaws.com/
and that returns the same, except that instead of the error document, I get a XML document
How do I solve this problem?
234
You can access an S3 bucket privately without authentication when you access the bucket from an Amazon Virtual Private Cloud (Amazon VPC). However, make sure that the VPC endpoint used points to Amazon S3.
To set ACL permissions for a bucketSign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that you want to set permissions for. Choose Permissions. Under Access control list, choose Edit.
S3 returns a 403 instead of a 404 when the user doesn't have permission to list the bucket contents.
If you query for an object and receive a 404, then you know that object doesn't exist. This is information you shouldn't know if you don't have permission to list the bucket contents so instead of telling you it doesn't exist, S3 just tells you that you're trying to do something you're not allowed to do. When you get a 403 instead of a 404 you have no way of knowing that the object you requested doesn't exist. It might not exist or it might exist and you just don't have permission to access it. There's no way for you to know for sure and so no security is bypassed.
I believe anyone with access to list the bucket contents will get a 404 instead of a 403.
159
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
