AWS S3 Policy to show images (read-only). Please verify

Question

I am quite surprised how complicated it is to give read-only permissions to a AWS S3-bucket. Maybe it is just me but I would imagine several use S3 to store images for websites and thus, making them available, but read-only should be a "click and select"-option.

Instead, as far as I understand, you use a bucket policy for this, using their bucket policy generator.

I have created this policy, which as far as I understand should do what I want:

{
    "Version": "2012-10-17",
    "Id": "Policy1441664301333",
    "Statement": [
        {
            "Sid": "Stmt1441664293105",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket-name/*"
        }
    ]
}

where my-bucket-name of course is replaced. This works in terms of making my images (the entire bucket is just images) publicly available. Since I don't understand the code in this policy at all and I can't seem to find out where to read about it I want to verify:

• Does this policy allow users to do anything else than to read the files in my bucket? I.e. could someone delete, upload files etc? Basically, am I in risk of something malicious to happen to my images?

I believe this is borderline of what can be asked on StackOverflow but I assume this issue is quite common and as such would be interesting for others as well as reference.

Answer 1

Explaining this policy:

Version": "2012-10-17",

This is the version of policy language. 2012-10-17 is the newest.

"Id": "Policy1441664301333",

This is an opaque identifier, a label, has no meaning to the system.

"Statement": [
    {

Begin a policy statement.

        "Sid": "Stmt1441664293105",

Another opaque identifier.

        "Effect": "Allow",

This policy, if matched, allows the specified action(s). The opposite is deny.

        "Principal": "*",

Who are the users that this policy applies to? * = anybody and everybody

        "Action": "s3:GetObject",

What actions are permitted when this rule is matched? Get an object from an S3 bucket.

        "Resource": "arn:aws:s3:::my-bucket-name/*"

Which bucket and which files in the bucket?

    }

End of policy statement.

This policy does what you intend.

There is, of course, a simpler way to accomplish this. When uploading to S3 through the console, you can choose "make everything public" or when uploading through the API, you can use the canned ACL called public-read. Doing so grants the same permission, but at the object level instead of the bucket level, but the effect is the same.

In S3, and indeed all of AWS that is subject to IAM policies, the default action is deny. Something has to allow access, for things you want to be public... and that something, in the case of S3, can be bucket-level policy, object-level. The absence of any rule allowing put, delete, list, etc., means those things are implicitly denied.

When policies are evaluated, a single matching "deny" rule (other than the built-in implicit deny) overrides any "allow" rule.