Restricting access to S3 objects unless url is signed-CodePudding

I've created a unique bucket for my private files on S3. This bucket is configured to block all public access. My application is configured to upload files to this s3 bucket with no public read access and I can confirm that the permissions on the objects reflect that this is working (i.e. there are no permissions given to the public on the objects that are uploaded).

Despite all of these measures to restrict public access to these files, these files are still visible to the public. I think that my IAM settings may be overriding the ACL setting as well as the bucket settings. I'm not sure which IAM setting to change or if changes may negatively impact other parts of my application, so I'd like to restrict access to this 'private bucket' with a bucket policy if possible.

This is what I've started with for a bucket policy:

{
    "Version": "2012-10-17",
    "Id": "My Special Bucket Policy",
    "Statement": [
        {
            "Sid": "DenyAccesstoAllFiles",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my_private_bucket/*"
        }
    ]
}

Unfortunately, this blocks access to objects in this 'private bucket' even with a signed url.

Please note that I've been able to generate signed urls successfully. They expire in 60 seconds just as I've configured them.

Thanks for your help!

Edit: All my files are being uploaded like this:

CodePudding user response：

All buckets and objects are private by default. So normally you don't need any policy on them. In your case any access is denied, because Deny always wins over any Allow:

Remember, an explicit deny in any of these policies overrides the allow.

Thus, there is no way to enable any public access to your objects due to your Deny, and no pre-signed url will change that.

Normally what you do is that you get rid of your policy, and rely on default behavior that the buckets and objects are private. In that case, the pre-signed url will work.

CodePudding user response：

Two things to note:

Buckets created in AWS in default settings are always private and their objects are not accessible via their links. I think you have mixed up some links that make you believe that your objects are still visible :)
You do not need to have an explicit policy to deny all the access to your S3 objects.

I would recommend you to remove the policy that you have attached to your bucket and then test again if the public links to your objects work (they shouldn't if your bucket is made via default settings). Once that part is clear, your pre-signed URLs should work!