Granting Public Access to an Amazon S3 Object

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Creating an Amazon S3 Bucket
lock
Creating a Folder inside an Amazon S3 Bucket
lock
Uploading a File to Amazon S3
lock
Granting Public Access to an Amazon S3 Object
lock
Changing the Metadata of an Amazon S3 Object
lock
Deleting an Amazon S3 Bucket
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

All uploaded files are private by default and can only be viewed, edited, or downloaded by you. In order to illustrate this point, complete the instructions below.

Note: The terms "file" and "object" are often used interchangeably when discussing Amazon S3. Technically, Amazon S3 is an object-store. It is not a block storage device and does not contain a file system as your local computer does. However, files such as images, movies, and sound clips are often uploaded from your file system to Amazon S3.

 

Instructions

1. Click on the object you just uploaded to the S3 bucket.

Take a look at the Object overview section:

alt

 

2. Under Object URL, right-click the link and open the URL in a new browser tab:

 You will see an XML (eXtensible Markup Language) response telling you that access is denied for this object:

alt

Note: The response may appear differently depending upon your web browser.

Leave the browser tab open. You will return to it shortly.

To allow public access to objects, you need to disable the default safety guards that prevent them from being made publicly accessible.

 

3. To return to the bucket view, at the top of the page, click the name of your bucket in the bread crumb trail:

alt

 

4. Click the Permissions tab and click Edit in the Block public access section:

alt

 

5. Uncheck all of the options to allow all kinds of public access:

alt

You should carefully consider anytime you allow public access to S3 buckets. AWS has implemented these security features to help prevent data breaches. For this lab, there is no sensitive data and you do want to allow public access.

Poorly managed Amazon S3 permissions have been a contributing factor to many unauthorized data access events. AWS is making sure you understand the implications of allowing public access to an Amazon S3 bucket.

 

6. At the bottom of the page, click Save changes:

alt

A confirmation dialog box will appear.

 

7. Enter confirm in the confirmation dialog box and click Confirm:

alt

You will see a green notification that the public access settings have been edited.

Turning off Block all public access does not automatically make objects in an Amazon S3 bucket public. There are several ways of of explicitly granting public access including:

  • Bucket policies
  • IAM policies
  • Access control lists
  • Pre-signed URLs

In this lab, you will use a bucket policy to grant public access to your Amazon S3 bucket.

 

8. Scroll down to the Bucket policy section and click Edit:

alt

The Edit bucket policy page will load. Here you can specify a JSON (JavaScript Object Notation) policy to control access to your Amazon S3 bucket.

 

9. Replace the contents of the Policy editor with the following:

Copy code
1
2
3
4
5
6
7
8
9
10
11
12
13
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "BUCKET_ARN/*",
      "Principal": "*"
    }
  ]
}

This is a permissive policy that allows GetObject access to anyone. More restrictive policies are possible such as

    • Restricting access to specific principals
    • Allow cross AWS account access
    • Using conditions to restrict access to a specific IP address

    Notice the Resource is currently "BUCKET_ARN/*",  which is causing an error.  We need to replace this with the ARN of the bucket we created:

    alt

     

    10. Click the copy icon under Bucket ARN and replace BUCKET_ARN in the value of the Resource key with the ARN you just copied :

     

    alt

    Note: Ensure that you preserve the /* at the end of the value. This means that the policy will apply to all objects inside the bucket recursively. Public access won't be granted if this is not present.

     

    12. At the bottom of the page, click Save changes:

    alt

    You will see a green notification that the bucket policy was edited.

     

    13. Return to the browser tab where access was denied and fresh the browser tab.

    You will see the response change from “Access Denied” to the logo: 

    alt

     

    Summary

    In this lab step, you made an object in S3 viewable to the public.

    This is a common use case, so AWS makes it fairly easy to make objects public. In some production environments, wide-open access to objects (images, video clips, etc.) is not desirable. There are much more granular permissions available on bucket objects, and you should always consider security implications when making objects public.

    For example, in your production environment, you may only want to grant read permissions to S3 objects in a specific bucket to EC2 instances you launch, not everyone on the Internet. Or, you may have a need for your customers to view objects, but prohibit downloads and editing, etc.