I am new to AWS S3 and trying to figure out how it works.
It seems like, in order to make individual files Public on the Internet, you have to set "Public access" to "Everyone" on the specific Object.
However, the Bucket itself has the same permissions;
Even if I change the "Public access" to "Everyone" for the Bucket, it seems like its still the individual Object's permissions that are used (screenshot 1).
If that is the case, what exactly does the "Public access" on the Bucket do?
S3 access permissions are a muddled affair, principally because there are three 'types' to understand.
A full discussion of the permission models (bucket access permissions, control lists and policies) can be found in the documentation (see: Setting Bucket and Object Access Permissions - Amazon Simple Storage Service). But as you've noticed:
Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you will not be able to access that user’s objects unless the user explicitly grants you access.
"Public access" means "a user from outside of your account that does not have IAM or S3 ACL access".
As with all bucket access permissions this can to be set for both the bucket actions (allow anyone to list the objects/allow anyone to create objects in your bucket; and do the same with the access control lists) and individual objects (read/write/ etc.)
n.b. if you're asking this because you are trying to make your S3 bucket publically accessible, a guide to doing that can be found in this answer. Just try not to end-up being the next open-s3-bucket company on the news please!
The best way to grant public access to an Amazon S3 bucket, or a portion of the bucket, is to use a Bucket Policy. This is easier than granting public access on each individual object.
Here is a policy that grants public access to the whole bucket:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
