Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What combination of Block Public Access settings makes my s3 bucket viewable to everyone?

Tags:

amazon-web-services

amazon-s3

I am new to AWS and created an s3 bucket for static site hosting. I want to allow Read-Only access to everyone so they can access the website. What combination of settings gives me this scenario? Do I need to uncheck all 4 settings in the Block Public Access settings? Do I even need to add a bucket policy if all 4 settings are set to off? I just want to make sure the bucket is never written to but the account holder. Thanks. enter image description here

like image 802
Nizzy Avatar asked Oct 01 '19 00:10

Nizzy

People also ask

What is block public access in S3?

S3 Block Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.

How do I enable block public access to S3 bucket?

06 To enable the S3 Block Public Access feature, select the Block all public access checkbox to activate all feature settings (options), and choose Save changes. 07 In the Edit Block public access (bucket settings) dialog box, type confirm in the appropriate box, then choose Confirm to apply the configuration changes.

What resources can you set Amazon S3 block public access on?

You can enable block public access settings only for access points, buckets, and AWS accounts.

1 Answers

Block Public Access acts as an additional layer of protection to prevent Amazon S3 buckets from being made public accidentally.

By default, all content in Amazon S3 is private. You can then make content accessible in several different ways:

  • At the bucket-level, by creating a Bucket Policy on the desired bucket. The rules added to this bucket can be used to grant access to objects (GetObject), list contents, upload, delete, etc. The policies can also get quite specific, such as allowing access only to specific IP addresses.
  • At the object-level, by configuring Access Control Lists (ACLs) on each individual object. For example, an object can be made publicly accessible.
  • At the IAM User or IAM Group level, by adding an IAM Policy directly the to the user/group. This is great for granting access to only specific sets of IAM users (as opposed to publicly).
  • By using Pre-Signed URLs that are generated programmatically and provide time-limited access to a specific object. This is typically used by applications to grant access to private objects. For example, a photo-sharing website would keep all photos private, but an authorized user would be able to view their own pictures, or pictures shared with them via the application.

So, in your question, you say you would like to "allow Read-Only access to everyone so they can access the website". This would normally be done by creating a Bucket Policy such as:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"MakeItPublic",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::my-bucket/*"]
    }
  ]
}

You should first deactivate the two Block Public Access settings that refer to Bucket Policies (the bottom two).

like image 154
John Rotenstein Avatar answered Oct 19 '22 03:10

John Rotenstein
Sign in to Comment

Related questions

How do you associate a IAM Role with an Aurora Cluster using CloudFormation?
AWS - nodejs SDK - CognitoIdentityServiceProvider.initiateAuth - CredentialsError: Missing credentials in config
Uploading multiple files to AWS S3 using NodeJS
aws rds, lost connection to MySQL server during query, when importing large file
AWS Glue Crawler Classifies json file as UNKNOWN
Webpack configuration for AWS Lambda?
botocore.exceptions.ClientError An error occurred (SignatureDoesNotMatch) when calling the GetObject operation
Use IAmazonDynamoDB or IDynamoDBContext (both?)
Is there a way to run aws glue crawler after job is finished?
How do I excluded folder from sam deploy command?
Can AWS Lambdas receive inbound TCP connections?
Where is the API documentation for boto3 resources?
Failed to retrieve credentials from EC2 Instance Metadata Service
Using External Identity Providers with Server Side Authentication
Publish AWS SNS message to Pagerduty
Custom version label with aws code pipeline
Organize multiple projects (AWS)
Use ECR images in EKS from another account
How to provide AWS API Gateway Custom Authorizer a Lambda Permission?
How can I visualize timeseries data aggregated by more than one dimension on AWS insights?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!