Making the Amazon S3 Objects Publicly Accessible

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Creating an Amazon S3 Bucket
lock
Creating a CloudFront Distribution
lock
Uploading a Demo Image Gallery to the S3 Bucket
lock
Making the Amazon S3 Objects Publicly Accessible
lock
Testing the CloudFront Distribution
lock
Disabling a CloudFront Distribution
lock
Deleting a CloudFront Distribution
lock
Destroying an S3 Bucket
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

All uploaded files are private by default and can only be viewed by the AWS account owner, but you can make them accessible to everyone using the AWS Management Console.

In this lab step, you will modify the permissions of the Amazon S3 bucket you created earlier so the bucket can be accessed publicly.

 

Instructions

1. In the Amazon S3 Console for your bucket, click the Permissions tab:

alt

 

2. Scroll down to Block public access (bucket settings) and click Edit:

alt

 

3. Uncheck Block all public access:

alt

Also, ensure that all other checkboxes are unchecked.

Note: You should carefully consider anytime you allow public access to S3 buckets. AWS has implemented these security features to help prevent data breaches. For this lab, there is no sensitive data and you do want to allow public access.

This setting is an extra layer of security but does not automatically make objects public. By turning this off you are confirming that you understand the implications of making objects in an Amazon S3 bucket public.

Poorly managed Amazon S3 bucket permissions are a common cause of unauthorized data access. To learn more about access control in Amazon S3, visit the Blocking public access to your Amazon S3 storage page of the Amazon S3 documentation.

 

4. To save your changes, scroll to the bottom, and click Save changes:

alt

The Amazon S3 Console will ask you to confirm that you want to make this change.

 

5. Enter confirm in the text-box and click Confirm:

alt

 

6. Scroll down to the Bucket policy section and click Edit:

alt

 

7. In the Policy editor, replace the existing contents with the following bucket policy:

Copy code
1
2
3
4
5
6
7
8
9
10
11
12
13
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "BUCKET_ARN/*",
      "Principal": "*"
    }
  ]
}

This policy allows anyone to get an object from this bucket. This is a very permissive policy that is suitable for this lab and a bucket that is used to host a public website. This kind of policy should not be used when an Amazon S3 bucket contains sensitive data.

Bucket policies allow restricting to specific actions as in the policy above, they also allow restricting access to specific IP addresses and other sophisticated conditions.

There are several ways to make Amazon S3 objects public:

  • Bucket policies
  • Access control lists
  • IAM policies
  • Pre-signed URLs (for short-lived public access)

Which method you should use will depend upon the requirements of your solution.

 

8. Above the Policy editor, under Bucket ARN, click the copy icon:

alt

 

9. In the Policy editor, replace BUCKET_ARN with the ARN you just copied.

Your policy will look similar to:

alt

The /* at the end of the resource is important. It means that this policy will apply recursively to all objects in the bucket. If it's not present, you won't be able to access objects in the bucket publicly.

 

10. Scroll to the bottom and click Save changes:

alt

You will be returned to the Permissions tab for your bucket and you will see a green notification that the bucket policy was edited.

The changes you have made mean that now all files in your bucket are now publicly available. 

 

11. To see the contents of the gallery folder, click the Objects tab, and in the table, click gallery/:

alt

 

12. Click the index.html object:

alt

You will see an overview of this object.

 

13. Under Object URL, click the link:

alt

You will see the Demo Gallery webpage load:

alt

Look at the URL in the address bar, it will be similar to:

  • https://calabs-abc123.s3-us-west-2.amazonaws.com/gallery/index.html

The URL of any S3 object follows this template:

  • https://<bucket-name>.s3-us-west-2.amazonaws.com/<object-prefix>/<object-name>

Note: You may encounter older S3 buckets using the following URL format:

  • https://s3-<region>.amazonaws.com/<bucket-name>/<object-prefix>/<object-name> 

In 2020 AWS changed new buckets to use the current format (bucket name as a part of the hostname).

 

Summary

In this lab step, you modified the permissions of the Amazon S3 bucket you created earlier to access your gallery of images.