Amazon S3 permissions don’t specify public access however public can read objects

access-control-listamazon s3amazon-web-services

I've got an AWS S3 bucket where the only permissions I've defined are for myself and Amazon's Log Delivery. As shown from the AWS Console:

aws s3 bucket perms 1

As shown from another tool (S3 Browser):

aws s3 bucket perms 2

There's no public or everyone or anonymous users in the ACL.

Yet, public/anonymous users can read objects from the bucket:

public access

How can this be?

Best Answer

S3 has three ways to control access:

  • IAM
  • Bucket Policy
  • ACLs

I suspect you have a bucket policy that provides public access.

A bucket policy like this, which you haven't mentioned, would provide public access.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "AddPerm",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::BUCKETNAME/*"
      }
  ]
}
Related Topic