Public Read Access for AWS Amplify Storage

Allow unauthenticated users access to files in public Amplify Storage bucket

This article was originally published on Floom.

AWS Amplify Storage provides three levels of content protection: private, protected, and public.

• private: These files are only accessible for the individual user that uploaded them. By default, these files are stored in your storage bucket under private/{user_identity_id}/ where the user_identity_id corresponds to the unique Amazon Cognito Identity ID for that user.
• protected: These files are readable by all users, but writable only by the creating user. By default, these files are stored under protected/{user_identity_id}/ where the user_identity_id corresponds to the unique Amazon Cognito Identity ID for that user.
• public: These files are read and write accessible by all users of your app. Files are stored under the public/ path in your S3 bucket.

When using Storage.put and Storage.get, you can specify which level of content you are referring to. For example:

Storage.put('sample.txt', 'Sample content', {
    level: 'protected',
    contentType: 'text/plain'
})

Both protected and public files permit read access from users who are not the file owners. But if you are looking to add truly public read access to users and non-users (guests) alike, this can be done easily by adding a rule to s3-cloudformation-template.json. Under the resources key, add the following policy:

This will allow everyone read access to files in your storage bucket listed under /protected/*. You can do the same for files under the /public/* name as well. Make sure to amplify push once you’ve added this policy.