Exclude one Amazon S3 object from a Bucket Policy

Brian Published at Dev

Brian

I want to cancel the public access permission of a file(images/login_logo.png) inside my S3 bucket my-test-bucket.

Currently, this file's permission setting is as the following:

As you can see in the above picture. It has no public access for everyone.

But I can still access it from the s3 link.

Is this phenomenon caused by my bucket policy?

{
    "Version": "2012-10-17",
    "Id": "Policy1528702071704",
    "Statement": [
        {
            "Sid": "Stmt1528702067249",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-test-bucket/*"
        }
    ]
}

If so, what's the best way to cancel the public access permission of a single file inside a large public bucket which contains about 10,000 files?

I cannot apply make public to a large bucket due to this issue.

John Rotenstein

By default, all objects in Amazon S3 are private.

You can make an object accessible via a Bucket Policy (such as yours above), or by adding permissions on the specific object.

If either of these methods grant access to an object, then the object is accessible. So, the fact that your bucket policy is granting access to the entire bucket means that your object is public.

The only way to make an exception for one file would be to add a Deny policy, such as:

{
    "Version": "2012-10-17",
    "Id": "Policy1528702071704",
    "Statement": [
        {
            "Sid": "AllowALl",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-test-bucket/*"
        },
        {
            "Sid": "DenyOneObject",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-test-bucket/images/login_logo.png"
        }
    ]
}

A Deny always overrides an Allow, so that object will remain private.

However, be careful: This policy is denying read access to everybody (including you!). You will probably need to tweak it so that you can still get access (probably by using NotPrincipal).

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2020-11-30

Comments

0 comments

TOP Ranking

Article

Exclude one Amazon S3 object from a Bucket Policy

Exclude one Amazon S3 object from a Bucket Policy

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

pump.io port in URL

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

Unable to use switch toggle for dark mode in material-ui

grouping by column variables and appending a new variable based on condition

BigQuery - concatenate ignoring NULL

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

Python Read Directory And Output to CSV

Remove adjacent duplicates in linked list in C

Angular 8. Unknown amount of http.get requests in array to call, must be sequential, what to use

How to keep curl session alive between two php processes?

Limit number of characters in uitextview

JMeter: Why get error when try to save test plan

Always setting the text cursor on Textbox

MTKView Displaying Wide Gamut P3 Colorspace

Vector input in shiny R and then use it

How to implement an authentication method using Spring Boot and JPA?

Laravel getting value from another table using eloquent

org.springframework.web.client.HttpClientErrorException: 401 null

When I click any button in my view page the form is submitted