I have created an Amazon S3 bucket which is private in nature but I don't want my users to create any public object inside that bucket. How should I do that through an S3 policy of that bucket? I tried but I am getting an error that the policy has an invalid resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicReadGetObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
" arn:aws:s3:::aws-my-bucket-s3-vk/*"
]
}
]
}
Users should be able to access the bucket and create new object/get the object from inside an EC2 instance with necessary permissions.
On the S3 console, after the bucket name there is access column which should come "bucket and object cannot be public".
You should enable Block Public Access on the S3 bucket. This will prevent anyone making objects public in that bucket. You should also restrict which IAM users/roles/policies have permission to modify the Block Public Access settings.
Amazon S3 block public access settings will override S3 bucket policies and object-level permissions to prevent public access.