7

I have found a couple of similar questions on StackOverflow like this one but they are quite old and it seems things have changed with S3 since then. They added these four settings which are quite confusing: enter image description here If I turn these off, does it mean it makes my bucket writable by public? In addition I also added this policy:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "PublicReadForGetBucketObjects",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::REDACTED/*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::REDACTED:user/REDACTED"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::REDACTED",
            "arn:aws:s3:::REDACTED/*"
        ]
    }
]

and this CORS configuration:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>REDACTED</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

I am trying to give public read access and restrict full access to a user I created in IAM. I would appreciate if someone could confirm that my settings are correct or in case they are not point me to the resources I need to get it right.

awaelchli
  • 796
  • 7
  • 23
  • Your policy seems wrong. From [the post](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2), set the policy and turn off the block public access (already done). – Lamanus Oct 27 '19 at 14:03
  • No, disabling Block Public Access does *not* make your bucket publicly writable (or readable). Disabling it simply allows you to make objects public. – jarmod Oct 27 '19 at 19:33
  • Thanks, I was able to find the right settings with your help! – awaelchli Oct 28 '19 at 17:59
  • yes I am having a similar issue.. the settings are unnecessarily confusing – Nigel Fds Sep 30 '20 at 01:58

1 Answers1

18

To make objects publicly accessible, use a policy like this:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Note that use of "Principal": "*", which is different to your policy that uses "Principal": {"AWS": "*"}.

This allows objects to be accessed (GetObject), but the content of the bucket cannot be listed. That would require ListBucket permissions on the bucket itself (without the /*).

You will also need to turn off the two Block Public Access settings related to Bucket Policies.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • +1 for explaining the permissions for listing bucket contents and which block settings need to be off. Exactly what I needed to know. – awaelchli Oct 28 '19 at 17:56
  • @john-rotenstein what two blocks do you mean to turn off? there is one that controls all and there are other 4 individual options that you can turn on/off. – Cesar Flores Dec 09 '21 at 14:59
  • 1
    @CesarFlores In the individual options, turn off the two that mention **Bucket Policy**. – John Rotenstein Dec 09 '21 at 21:01