I'm trying to grant public read access to the objects in my Amazon Simple Storage Service (Amazon S3) bucket using a bucket policy or an object access control list (ACL). However, I get Insufficient Permissions or Access Denied errors.
Short description
Suppose that you're using the following bucket policy to grant public read access to the objects in your bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example-bucket/*"
]
}
]
}
You might get the Insufficient Permissions or Access Denied errors because of the following reasons:
- You don't have the s3:PutBucketPolicy permission to update or create a bucket policy for your Amazon S3 bucket.
- You don't have the s3:PutObjectAcl permission to modify the object's ACL.
- The S3 bucket policy or the object's ACL conflicts with your S3 Block Public Access settings.
Resolution
Grant the required permissions
Be sure that AWS identity and Access Management (IAM) user or role that you use has the following permissions:
- s3:PutBucketPolicy to create or update the bucket policy for your S3 bucket
- s3:PutObjectAcl to update an object's ACL for granting public read access
Update the Block Public Access Settings
By default, all Amazon S3 resources, such as buckets, objects, and related subresources, are private and don't allow public access. The Block Public Access settings for access points, buckets, and accounts help you to manage public access to Amazon S3 resources. These settings override the S3 bucket policies and object ACLs so that you can limit public access to these resources. When the bucket policy or object ACL that you configured conflicts with the Block Public Access setting, you can't create a bucket policy to grant public read access. S3 also denies permissions to modify the bucket policy or object ACLs to grant public read access.
Amazon S3 Block Public Access provides four settings to block public access to buckets and objects. These settings are independent and can be used in any combination.
- BlockPublicAcls - Block public access that's granted using new ACLs: Amazon S3 blocks public access permissions that you apply to newly added buckets or objects. S3 also denies the creation of new public access ACLs for existing buckets and objects. This setting doesn't change any existing permissions that allow public access to S3 resources that use ACLs.
- IgnorePublicAcls - Block public access that's granted using any ACL: Amazon S3 ignores all ACLs that grant public access to buckets and objects.
- BlockPublicPolicy - Block public access that's granted using a new public bucket or access point policies: Amazon S3 blocks the use of new buckets and access point policies that grant public access to buckets and objects. This setting doesn't change any existing policies that allow public access to S3 resources.
- RestrictPublicBuckets - Block public and cross-account access that's granted using any public bucket or access point policies: Amazon S3 ignores public and cross-account access for buckets or access points with policies that grant public access to buckets and objects.
For more information, see Amazon S3 Block Public Access - Another layer of protection for your accounts and buckets.
Be sure to update the S3 Block Public Access settings based on your use case.
Note:
- If you're granting public read access to objects using ACLs, then turn off the following Block Public Access settings:
- If you're granting public read access to objects using an S3 bucket policy, then turn off the following Block Public Access settings:
- You can't use bucket ACLs or object ACLs to grant public read access for buckets that have the S3 Object Ownership set to Bucket Owner Enforced. In this case, you must use policies to grant access to your bucket and the objects in the bucket. Requests to set or update ACLs fail, and you get the AccessControlListNotSupported error message. Request to read ACLs are still supported.
If you turned on Block Public Access settings for all S3 buckets in your account, then you see the message Bucket and objects not public. For more information, see Configuring block public access settings for your account.
Important: When you grant public read access to the objects, anyone on the internet can access these objects. If this isn't what you want, then make sure that your S3 bucket isn't publicly accessible. For more information, see Amazon S3 security best practices.
Related information
How can I grant public read access to some objects in my Amazon S3 bucket?