How to Make S3 Objects Publicly Available in 2023
Amazon Simple Storage Service (S3) is a popular service for storing and retrieving any amount of data at any time from anywhere on the web. By default, all newly created objects in an S3 bucket are private. However, there are scenarios where you might want to make an object, or even the entire bucket, accessible to the public. In this blog post, we’ll walk you through various methods to do just that.
AWS has disabled Access Control Lists (ACLs) by default since April 2023 and it is also recommended (Link to AWS). While creating Amazon S3 bucket as well as for existing buckets you have to choose to enable ACLs.
To enable public access the public access settings has to be changed as well.
Making an Individual Object Public via the AWS Management Console
For System Operators who prefer GUI:
- Login to AWS Management Console** — Navigate to S3 from the list of services.
- Select Your Bucket — Find the S3 bucket that contains the object you want to make public.
- Locate the Object — Navigate through the bucket’s folders until you find the desired object.
- Make it Public— Right-click on the object, choose ‘Make public’.
Making an Individual Object Public via AWS CLI:
For Developers who prefer the command line:
First, ensure that you have the AWS CLI installed and configured.
aws s3api put-object-acl - bucket BUCKET-NAME - key OBJECT-KEY - acl public-read
Replace `BUCKET-NAME` with the name of your bucket and `OBJECT-KEY` with the path to your object.Making All Objects in a Bucket Public via Bucket Policy
This method is great for System Operators looking to provide public access to all objects within a bucket.
- Navigate to Your Bucket’s Permissions — In the S3 Management Console, select your bucket, and then click on the ‘Permissions’ tab.
- Bucket Policy — Click on ‘Bucket Policy’ and paste in the following policy
{
"Version":"2012–10–17",
"Statement":[{
"Sid":"PublicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::BUCKET-NAME/*"],
"Condition": {
"Bool": {
"aws:SecureTransport":"true"
}
}
}]
}3. To further increase the security the policy contains a condition. It ensures that traffic to the bucket is secured via TLS(HTTPS). This is achieved through the condition entry “aws:SecureTransport”:”true”.
Replace `BUCKET-NAME` with the name of your bucket.
Using Pre-Signed URLs for Temporary Access
For Developers who want to grant temporary public access:
A pre-signed URL gives temporary access to a private object. It’s generated with your AWS credentials and is valid for a specific duration.
aws s3 presign s3://BUCKET-NAME/OBJECT-KEY - expires-in EXPIRATION-TIME-IN-SECONDSSafety Precautions
1. Always Double-Check: Making objects public can expose sensitive data. Always make sure the data you’re sharing is intended for public view.
2. Monitoring: Set up S3 bucket logging to monitor access to your public objects.
3. Limit Exposure: If only specific regions or IPs need access, tailor your bucket policy to be as restrictive as necessary.
Summary
While Amazon S3 offers various ways to make objects publicly accessible, it’s essential to ensure data security. Only make data public when necessary and always be aware of what data you’re exposing. Whether you’re a developer or a system operator, AWS provides tools to suit your preferred method of operation, but always use these tools responsibly.
About the Author:
My name is Sven Leiss and I am an 5x certified AWS enthusiast and AWS Migration Blackbelt. I have been working in the AWS space for the past 7 years and have extensive knowledge of the AWS platform and its various services. I am passionate about helping customers get the most out of the cloud and have a great track record of successful implementations.
I have extensive experience in designing and implementing cloud architectures using AWS services such as EC2, S3, Lambda and more. I am also well versed in DevOps and AWS cloud migration journeys.
If you are looking for an experienced AWS expert, I would be more than happy to help. Feel free to contact me to discuss your cloud needs and see how I can help you get the most out of the cloud.
