How to make an s3 object public in s3 private bucket without using presigned URLs
I have an s3 bucket with the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
]
}
also the bucket public access is blocked. here is a snapshot of bucket policy
Basically I want the bucket to be private in order to prevent unauthorized users from uploading files but I would like to grant public read access to the objects inside the bucket for any user
It appears that you want to allow anyone to retrieve an object, but they should not be allowed to do anything else.
There are two ways to accomplish this:
1. Using ACLs
You could assign a public-read ACL to the individual objects. This also requires S3 Block Public Access to be deactivated for the two ACL-related options.
In this way, your bucket remains private but the objects are accessible if the name of the object is known. (Listing is not enabled.)
2. Using a Bucket Policy
This policy will allow anyone to access objects in the bucket:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
It will permit any attempt to get an object, but will not allow listing, deleting, etc.
For BOTH the above options, if you want "authorized" users to be able to do things like upload and delete objects, then those permissions should be assigned directly to the IAM Users (without using an S3 Bucket Policy).