AWS/Azure/OpenShift

How to grant public access to S3 Bucket using Policy

S3-Bucket-Public-Access-1

In this article, you will learn how to generate and add a bucket policy to an Amazon S3 bucket to enable public access to any data stored on it, but first, let’s take a look at what Amazon S3 is all about. What is Amazon S3? Amazon S3, also known as Amazon Simple Storage Service, is a service provided by Amazon Web Services that offers object storage via a web service interface. It is one of the most popular storage solutions when compared to file and block storage solutions such as Amazon Elastic File System (EFS) and Amazon Elastic Block Stores (EBS). When we talk about an object storage solution with industry-leading scalability, availability, and security that allows you to store and retrieve any amount of data from any location, we are simply referring to Amazon S3. All data stored on the S3 storage solution are stored in a component known as an S3 Bucket.

By default, Amazon S3 blocks all public access to any data stored in the S3 bucket. What this means is that access to an S3 bucket’s data is restricted until a policy to allow public access is added. This policy is known as an S3 Bucket Policy. You may ask, why is a bucket policy required? The policy is required to give multiple users access to a bucket and allow or deny accounts access to your bucket’s files for reading and uploading. In some situations where there are critical data stored on your S3 bucket, setting a bucket policy will help deny users the ability to add and remove buckets.

You may also be interested in reading these related articles: How to integrate AWS CodeBuild and AWS CodeCommit to SonarCloud, How to deploy a React Application to AWS S3, How to deploy an Angular App to AWS S3 and How to redirect requests for your bucket’s website endpoint to another bucket or domain

An S3 bucket policy is a type of object that allows you to control who has access to specific Amazon S3 storage resources. 

Note: You can only do this on selected occasions or based on a special request that’s authorized by your organization, as granting access to the S3 bucket with critical data can expose your data to the public, which is subject to abuse. Therefore, you should grant access to only temporary data that you know needs public access!

Prerequisite

To follow along without missing a step in this post, you need to have an active AWS account with access to the AWS Management Console. If you don’t have an active AWS account with a subscription, Amazon has made it very easy for you as you can enjoy the AWS Free-Tier without being charged.

If the above requirements are in place, proceed with me to the next steps below:

To get started, sign in to the AWS Management Console as either a root user or an IAM user, or sign up for an AWS Free account if you’re a new user.

AWS-Console-Sign-in-Page
AWS Sign in & Sign up page

Search for and click on S3 using the horizontal search bar on the AWS Management Console

Search-For-S3-Bucket
Search for S3

When you click on the S3, you will be taken to the console. In the S3 Console, click on “Create bucket” as shown below:

Create-bucket
Create a bucket

Next, give your bucket a unique name and proceed to supply other information.

Note: Because S3 is a global service on the AWS Cloud, your bucket name must be unique and must not already be taken. It must not also contain a special character like an underscore (_).

Remember to uncheck “Block all public access ” and mark the checkbox below to acknowledge your consent to grant access to the S3 bucket. Unchecking the "Block all public access" is the first step to granting public access to the S3 bucket.

After the public access has been unchecked, proceed to create the bucket. As you can see the access level to our bucket in the below screenshot is indicated as “Objects can be public” which means it’s not public yet.

bucket-created-1

Step 2 – Create Bucket Policy

Next, we will create a bucket policy, but before then, we need to add a file to the bucket and try to access the file URL to get an access denied prompt, which is the issue we’re about to solve in this article. Here, we will upload a simple text.txt file to the bucket. You can upload any kind of file provided that public exposure to the file won’t cause any damage to you.

To upload a file to the bucket, double click on the bucket name > Objects > Upload > Add files >Click on upload

file-uploaded-
File uploaded

Now, navigate to the Object URL by double-clicking on the file name. The URL should look like https://bucket-name.s3.amazonaws.com/filename. You will be denied access to the content of the file from your browser when you double click to open the URL. See the screenshot below:

bucket-access-denied

Now, let’s generate a bucket policy to allow access. To do so, click to go back to the bucket. Click on the permission tab and scroll down to where you have "Bucket Policy" and click on the Edit button.

After clicking on the edit button to open the policy creation console, click on Policy generator to open on a new browser tab. Note your Amazon Resource Name (ARN) as it will be required in the new browser tab where you will generate the policy – ARN is a file naming convention used to identify a particular resource in the Amazon Web Services (AWS) public cloud.

Generate-Policy
Policy generator

On the new browser tab to generate the policy, under Select Type of Policy, select S3 bucket policy from the list of policies in the drop-down menu leaving the Effect directly below it as “Allow” . Under the principal column, type asterisk (*) which means it will allow access from anybody.

Next, move to the Actions column and select the GetObject action, copy and paste your ARN arn:aws:s3:::techda-store/* from the Edit Bucket Policy Console. Add a forward slash(/) and asterisk to the ARN. What this means is that it will allow all objects stored in this bucket to be accessible. Now, click on “Add statement”

Add-Statement
Add policy statement

Now, click on generate policy to generate the policy.

Generate-Policy-statement
Generate policy

After generating the policy, a dialog box containing the policy script will pop-up. Now highlight and copy the policy script and paste it under the policy section within the bucket console.

Copy-and-paste-policy-script
Copy the policy script

Click on save changes after you have pasted the script.

Bucket-now-publicly-accessible
Bucket is publicly accessible

As shown in the screenshot above, our bucket is now publicly accessible.

Lastly, let’s browse to the object URL once again and read the content of the file as shown below:

Browse-to-the-text-file-1
Object now accessible to the public

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x