I have found a couple of similar questions on StackOverflow like this one but they are quite old and it seems things have changed with S3 since then. They added these four settings which are quite confusing: <img src="https://i.stack.imgur.com/NgdeU.png" alt="enter image description here"> If I turn these off, does it mean it makes my bucket writable by public? In addition I also added this policy: <pre class="prettyprint"><code>{ "Version": "2008-10-17", "Statement": [ { "Sid": "PublicReadForGetBucketObjects", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::REDACTED/*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::REDACTED:user/REDACTED" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::REDACTED", "arn:aws:s3:::REDACTED/*" ] } ] </code></pre> and this CORS configuration: <pre class="prettyprint"><code><?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>REDACTED</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>POST</AllowedMethod> <AllowedMethod>PUT</AllowedMethod> <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration> </code></pre> I am trying to give public read access and restrict full access to a user I created in IAM. I would appreciate if someone could confirm that my settings are correct or in case they are not point me to the resources I need to get it right.

To make objects publicly accessible, use a policy like this: <pre class="prettyprint"><code>{ "Version":"2012-10-17", "Statement":[ { "Sid":"PublicRead", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::examplebucket/*"] } ] } </code></pre> Note that use of <code>"Principal": "*"</code>, which is different to your policy that uses <code>"Principal": {"AWS": "*"}</code>. This allows objects to be accessed (<code>GetObject</code>), but the content of the bucket cannot be listed. That would require <code>ListBucket</code> permissions on the bucket itself (without the <code>/*</code>). You will also need to turn off the two Block Public Access settings related to Bucket Policies.

How to set public read only access on Amazon S3 Bucket?

I have found a couple of similar questions on StackOverflow like this one but they are quite old and it seems things have changed with S3 since then. They added these four settings which are quite confusing: enter image description here If I turn these off, does it mean it makes my bucket writable by public? In addition I also added this policy:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "PublicReadForGetBucketObjects",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::REDACTED/*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::REDACTED:user/REDACTED"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::REDACTED",
            "arn:aws:s3:::REDACTED/*"
        ]
    }
]

and this CORS configuration:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>REDACTED</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

I am trying to give public read access and restrict full access to a user I created in IAM. I would appreciate if someone could confirm that my settings are correct or in case they are not point me to the resources I need to get it right.

How do I make my S3 bucket from private to public?

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Bucket name list, choose the name of the bucket that you want. Choose Permissions. Choose Edit to change the public access settings for the bucket.

Can anyone write to a public S3 bucket?

An Amazon S3 bucket that grants public WRITE (UPLOAD/DELETE) access, can allow everyone on the Internet to add, delete, and replace objects within the S3 bucket without restrictions.

What resources can you set Amazon S3 block public access on?

You can enable block public access settings only for access points, buckets, and AWS accounts.

To make objects publicly accessible, use a policy like this:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Note that use of "Principal": "*", which is different to your policy that uses "Principal": {"AWS": "*"}.

This allows objects to be accessed (GetObject), but the content of the bucket cannot be listed. That would require ListBucket permissions on the bucket itself (without the /*).

You will also need to turn off the two Block Public Access settings related to Bucket Policies.

How to set public read only access on Amazon S3 Bucket?

Tags:

amazon-web-services

amazon-s3

aeduG

People also ask

1 Answers

John Rotenstein

Recent Activity

Donate For Us

How to set public read only access on Amazon S3 Bucket?

Tags:

amazon-web-services

amazon-s3

aeduG

People also ask

1 Answers

John Rotenstein

Related questions

Recent Activity

Donate For Us