How do I grant public read access to some objects in my Amazon S3 bucket?

6 minute read
4

I want some objects in my Amazon Simple Storage Service (Amazon S3) bucket to be publicly readable. But I don't want to change the permissions on other objects that are in the same bucket.

Short description

Choose one of the following ways to grant public read access to objects in your S3 bucket:

  • Update the object's access control list (ACL) from the Amazon S3 console
  • Update the object's ACL from the AWS Command Line Interface (AWS CLI)
  • Use a bucket policy that grants public read access to a specific object tag
  • Use a bucket policy that grants public read access to a specific prefix

Important: You can't grant public access through bucket and object ACLs when your buckets have S3 Object Ownership set to Bucket Owner Enforced. In most cases, ACLs aren't required to grant permissions to objects and buckets. Instead, use AWS Identity Access and Management (IAM) policies and S3 bucket policies to grant permissions to objects and buckets.

New buckets, access points, and objects don't allow public access by default. If block public access is activated for all buckets within the AWS account, then you see the message "Bucket and objects not public". For more information, see Configuring block public access settings for your account.

Resolution

Important: Before you begin, confirm that you don't have any block public access settings at the account level or the bucket level. By default, block public access settings are set to True on new S3 buckets.

Update the object's ACL from the Amazon S3 console

To make several objects public at once, complete the following steps:

Warning: After you make several objects public, there's no option to undo this action for several objects at once. To remove public access, you must go into each individual object in the Amazon S3 console. Then, from the Permissions tab of the object, modify Public access. Carefully review the list of objects before you make them public.

  1. Open the Amazon S3 console.
  2. From the list of buckets, choose the bucket with the objects that you want to make public.
  3. Navigate to the folder that contains the objects.
  4. From the object list, select all the objects that you want to make public.
  5. Choose Actions, and then choose Make public.
  6. In the Make public dialog box, confirm that the list of objects is correct.
  7. Choose Make public.

To make an individual object public, repeat the previous process or complete the following steps:

  1. From the Amazon S3 console, choose the bucket with the object that you want to make public.
  2. Navigate to the folder that contains the object.
  3. Open the object by choosing the link on the object name.
  4. Choose the Permissions tab.
  5. Choose Edit.
  6. In the Everyone section, select Objects Read.
  7. Select I understand the effects of these changes on this object.
  8. Choose Save changes.

Update the object's ACL from the AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

For an object that's already stored in Amazon S3, you can run a put-object-acl command to update the object's ACL for public read access:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key exampleobject --acl public-read

Note: Replace exampleobject in the previous command with the object in your bucket that you want to grant public read access for.

Or, you can run the following command to grant full control of the object to the account owner and read access to everyone else:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key exampleobject --grant-full-control id="008exampleA45666666668889999008853" --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

Note: For the value of --grant-full-control, enter the account's canonical user ID.

Use a bucket policy that grants public read access to a specific object tag

Important: Before you begin, be sure to review the pricing for S3 Object Tagging.

To use a policy to grant public read access to objects with a specific tag, complete the following steps:

  1. Add a bucket policy that allows public read access to any objects with a specific tag. For example, the following policy allows public read access for any object that has the key-value pair tag public=yes:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
          "Condition": {
            "StringEquals": {
              "s3:ExistingObjectTag/public": "yes"
            }
          }
        }
      ]
    }
  2. Add the tag to the objects that you want to be publicly readable. You can add or manage object tags from the Amazon S3 console. Or, you can use the AWS CLI.

  3. To check what tags an object has, run a get-object-tagging command in the AWS CLI:

    aws s3api get-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject
  4. To add a tag to an object that doesn't have any tags, run a put-object-tagging command:
    Warning: This command overwrites all of the tags that an object already has.

    aws s3api put-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject --tagging 'TagSet={Key=public,Value=yes}'
  5. To add a new tag to an object that already has tags, run the following command.
    Note: Make sure to include the new object tag, as well as the old tags that you want to keep.

    aws s3api put-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject --tagging 'TagSet=[{Key=public,Value=n},{Key=exampletag1,Value=one},{Key=exampletag2,Value=two}]'
  6. To verify the object's tags, run the following command again:

    aws s3api get-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject

Use a bucket policy that grants public read access to a specific prefix

Warning: The following bucket policy grants public read access to all objects under a specific prefix. Before you use this bucket policy, confirm that your use case supports all publicly readable objects within the prefix. This policy doesn't grant list access for the prefix. The user can access the object only if the object path is known. If the user tries to access an object that doesn't exist in the prefix, then the user receives a 403 error.

To grant public read access to a specific object prefix, add a bucket policy similar to the following:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/publicprefix/*"]
      }
  ]
}

Then, copy the objects into the prefix with public read access. To copy an object into the prefix, run a cp command similar to the following:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/exampleobject s3://DOC-EXAMPLE-BUCKET/publicprefix/exampleobject

Note: If the object already has a publicly readable prefix, then you don't need to copy the object to a new prefix.

Related information

Configuring ACLs

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
2 Comments

How did you get the following key --key exampleobject

replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 5 months ago