How can I grant public read access to some objects in my Amazon S3 bucket?

6 minute read
3

I want some objects in my Amazon Simple Storage Service (Amazon S3) bucket to be publicly readable. However, I don't want to change the permissions on other objects that are in the same bucket.

Short description

Grant public read access in one of these ways:

  • Update the object's access control list (ACL) using the Amazon S3 console
  • Update the object's ACL using the AWS Command Line Interface (AWS CLI)
  • Use a bucket policy that grants public read access to a specific object tag
  • Use a bucket policy that grants public read access to a specific prefix

Important: Granting public access through bucket and object ACLs doesn't work for buckets that have S3 Object Ownership set to Bucket Owner Enforced. In most cases, ACLs aren't required to grant permissions to objects and buckets. Instead, use AWS Identity Access and Management (IAM) policies and S3 bucket policies to grant permissions to objects and buckets.

By default, new buckets, access points and objects don't allow public access. If block public access is activated for all buckets within the account, the message “Bucket and objects not public” is shown. To lean more, see Configuring block public access settings for your account.

Resolution

Important: Before you begin, confirm that you don't have any block public access settings at the account level or the bucket level. Your settings must not prevent you from making the objects public. By default, block public access settings are set to True on new S3 buckets.

Update the object's ACL using the Amazon S3 console

To make several objects public at once, follow these steps:

Warning: After you make several objects public, there's no option to undo this action for several objects at once. To remove public access, you must go into each object in the Amazon S3 console. Then, from the Permissions tab of the object, modify Public access. You must do this for every object where you want to undo the public access that you granted. Make sure to carefully review the list of objects before you make them public.

1.    Open the Amazon S3 console.

2.    From the list of buckets, choose the bucket with the objects that you want to update.

3.    Navigate to the folder that contains the objects.

4.    From the object list, select all the objects that you want to make public.

5.    Choose Actions, and then choose Make public.

6.    In the Make public dialog box, confirm that the list of objects is correct.

7.    Choose Make public.

To make an individual object public, you can repeat the previous process or follow these steps:

1.    From the Amazon S3 console, choose the bucket with the object that you want to update.

2.    Navigate to the folder that contains the object.

3.    Open the object by choosing the link on the object name.

4.    Choose the Permissions tab.

5.    Choose Edit.

6.    In the Everyone section, select Objects Read.

7.    Select I understand the effects of these changes on this object.

8.    Choose Save changes.

Update the object's ACL using the AWS CLI

For an object that you've already stored in Amazon S3, you can run this command to update its ACL for public read access:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key exampleobject --acl public-read

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Or, you can run this command to grant full control of the object to the AWS account owner and read access to everyone else:

Note: For the value of --grant-full-control, enter the account's canonical user ID.

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key exampleobject --grant-full-control id="008exampleA45666666668889999008853" --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

Use a bucket policy that grants public read access to a specific object tag

Important: Before you begin, be sure to review the pricing for S3 Object Tagging.

First, add a bucket policy that allows public read access to any objects with a specific tag. For example, this policy allows public read access for any object that's tagged with the key-value pair public=yes:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/public": "yes"
        }
      }
    }
  ]
}

Then, add the tag to the objects that you want to be publicly readable. You can add or manage object tags by using the Amazon S3 console. Or, you can use the AWS CLI.

To check if an object has any existing tags, run this AWS CLI command:

aws s3api get-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject

To add a tag to an object that doesn't have any existing tags, run this command:

Warning: This command overwrites any existing object tags.

aws s3api put-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject --tagging 'TagSet={Key=public,Value=yes}'

To add a tag to an object that has existing tags, run the following command. Make sure to include the new object tag, as well as the existing tags that you want to keep.

aws s3api put-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject --tagging 'TagSet=[{Key=public,Value=n},{Key=exampletag1,Value=one},{Key=exampletag2,Value=two}]'

After you add the object tag, run this command to review the tags of all the objects:

aws s3api get-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject

Use a bucket policy that grants public read access to a specific prefix

Warning: The following bucket policy grants public read access to all objects under a specific prefix. Before you use this bucket policy, confirm that your use case supports all publicly readable objects within the prefix. This policy doesn't grant list access for the prefix. The user can access the object only if the object path is known. When accessing an object that doesn't exist in the prefix, the user receives a 403 error.

To grant public read access to a specific object prefix, add a bucket policy similar to the following:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/publicprefix/*"]
      }
  ]
}

Then, copy the objects into the prefix with public read access. You can copy an object into the prefix by running a command similar to the following:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/exampleobject s3://DOC-EXAMPLE-BUCKET/publicprefix/exampleobject

Note: Depending on the object's prefix, copying the object isn't required to grant public read access.

Related information

Configuring ACLs

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago