Menu
I have found a couple of similar questions on StackOverflow like this one but they are quite old and it seems things have changed with S3 since then. They added these four settings which are quite confusing:
If I turn these off, does it mean it makes my bucket writable by public?
In addition I also added this policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::REDACTED/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:user/REDACTED"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::REDACTED",
"arn:aws:s3:::REDACTED/*"
]
}
]
and this CORS configuration:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>REDACTED</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I am trying to give public read access and restrict full access to a user I created in IAM. I would appreciate if someone could confirm that my settings are correct or in case they are not point me to the resources I need to get it right.
222
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Bucket name list, choose the name of the bucket that you want. Choose Permissions. Choose Edit to change the public access settings for the bucket.
An Amazon S3 bucket that grants public WRITE (UPLOAD/DELETE) access, can allow everyone on the Internet to add, delete, and replace objects within the S3 bucket without restrictions.
You can enable block public access settings only for access points, buckets, and AWS accounts.
To make objects publicly accessible, use a policy like this:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PublicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
Note that use of "Principal": "*", which is different to your policy that uses "Principal": {"AWS": "*"}.
This allows objects to be accessed (GetObject), but the content of the bucket cannot be listed. That would require ListBucket permissions on the bucket itself (without the /*).
You will also need to turn off the two Block Public Access settings related to Bucket Policies.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
