Amazon S3 – How to Create a Public Read and Download Only Bucket

I am trying to setup an S3 Bucket that has public read and download permissions, but not public upload.

I have the following permissions in the "Access Control List"

And Bucket Policy which allows the public read/download (I think?)

{
    "Version": "2012-10-17",
    "Id": "Policy1234567890",
    "Statement": [
        {
            "Sid": "Stmt1234567890",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-public-bucket/*"
        }
    ]
}

I'm pretty new to setting AWS S3 Buckets up, and my goal here is that I have a public bucket that anyone can read and download objects from it, but only I have the access to do any additional operations to it like uploading, changing permissions, etc.

Right now, when I use an AWS account that's not the user that created this bucket, I still seem to be able to upload things even though for "Public Access – Everyone", I only have the "List Objects" permission and not write.

Can someone tell me what Access Control or Bucket Policy I need to change to grant ONLY public read and download permissions?

Best Answer

when I use an AWS account that's not the user that created this bucket, I still seem to be able to upload things

Is that AWS account actually just a different IAM user in the same AWS account? With your settings all IAM Users from your AWS account have full permissions on the bucket.

If you want to give Upload access only to certain IAM users within your account follow this guide: How to Restrict Amazon S3 Bucket Access to a Specific IAM Role (IAM Role is similar enough to IAM User in this context - the guide should work for you).

Hope that helps :)

Best Answer

Related Solutions

Amazon S3 permissions don’t specify public access however public can read objects

Security – Why AWS Recommends Against Public S3 Buckets

Related Topic