Home > front end >  How to make files in S3 publicly accessible but block public uploads?
How to make files in S3 publicly accessible but block public uploads?

Time:10-05

For an S3 bucket is there a way to allow public get access but restrict public uploads? i.e. everyone can view the files but only my server (IAM credentials) can upload.

My bucket policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrivatePut",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123:user/Access"
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::foo/*"
        },
        {
            "Sid": "PublicGet",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::foo/*"
        }
    ]
}

But when I try save this bucket policy I get an access denied error Error

My CORS policy:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "http://localhost:3000"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://example.com"
        ],
        "ExposeHeaders": []
    }
]

Not sure what to de/select for the Block public access settings

Currently they're all checked except for Block public and cross-account access to buckets and objects through any public bucket or access point policies

Also, adding "AllowedOrigins": ["http://localhost:3000"] to the CORS policy seems suss.

CodePudding user response:

When adding a Bucket Policy to an Amazon S3 bucket, turn off both "Block public access" options that mention "public bucket or access point policies". This should be sufficient to fix your issue.

Generally, granting public access is done via a bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicGet",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::foo/*"
        }
    ]
}

Granting access to a specific user is best done as a policy on the IAM User themselves rather than the bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrivatePut",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::foo/*"
        }
    ]
}

There is no need to modify CORS settings unless you are experiencing a specific error that mentions CORS.

Page link:https//www.codepudding.com/frontend/565709.html

Prev:How to add a column without breaking the grid (cxgrid)?
Next:Azure AD authentication login redirect not working on react app hosted on S3
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding