How can I troubleshoot issues when granting public read access to an Amazon S3 object using a bucket policy or an object ACL?

5 minute read

I'm trying to grant public read access to the objects in my Amazon Simple Storage Service (Amazon S3) bucket using a bucket policy or an object access control list (ACL). However, I get Insufficient Permissions or Access Denied errors.

Short description

Suppose that you're using the following bucket policy to grant public read access to the objects in your bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket/*"
            ]
        }
    ]
}

You might get the Insufficient Permissions or Access Denied errors because of the following reasons:

You don't have the s3:PutBucketPolicy permission to update or create a bucket policy for your Amazon S3 bucket.
You don't have the s3:PutObjectAcl permission to modify the object's ACL.
The S3 bucket policy or the object's ACL conflicts with your S3 Block Public Access settings.

Resolution

Grant the required permissions

Be sure that AWS identity and Access Management (IAM) user or role that you use has the following permissions:

s3:PutBucketPolicy to create or update the bucket policy for your S3 bucket
s3:PutObjectAcl to update an object's ACL for granting public read access

Update the Block Public Access Settings

By default, all Amazon S3 resources, such as buckets, objects, and related subresources, are private and don't allow public access. The Block Public Access settings for access points, buckets, and accounts help you to manage public access to Amazon S3 resources. These settings override the S3 bucket policies and object ACLs so that you can limit public access to these resources. When the bucket policy or object ACL that you configured conflicts with the Block Public Access setting, you can't create a bucket policy to grant public read access. S3 also denies permissions to modify the bucket policy or object ACLs to grant public read access.

Amazon S3 Block Public Access provides four settings to block public access to buckets and objects. These settings are independent and can be used in any combination.

BlockPublicAcls - Block public access that's granted using new ACLs: Amazon S3 blocks public access permissions that you apply to newly added buckets or objects. S3 also denies the creation of new public access ACLs for existing buckets and objects. This setting doesn't change any existing permissions that allow public access to S3 resources that use ACLs.
IgnorePublicAcls - Block public access that's granted using any ACL: Amazon S3 ignores all ACLs that grant public access to buckets and objects.
BlockPublicPolicy - Block public access that's granted using a new public bucket or access point policies: Amazon S3 blocks the use of new buckets and access point policies that grant public access to buckets and objects. This setting doesn't change any existing policies that allow public access to S3 resources.
RestrictPublicBuckets - Block public and cross-account access that's granted using any public bucket or access point policies: Amazon S3 ignores public and cross-account access for buckets or access points with policies that grant public access to buckets and objects.

For more information, see Amazon S3 Block Public Access - Another layer of protection for your accounts and buckets.

Be sure to update the S3 Block Public Access settings based on your use case.

Note:

If you're granting public read access to objects using ACLs, then turn off the following Block Public Access settings:
- BlockPublicAcls at both bucket level and account level
- IgnorePublicAcls at both bucket level and account level
If you're granting public read access to objects using an S3 bucket policy, then turn off the following Block Public Access settings:
- BlockPublicPolicy at both bucket level and account level
- RestrictPublicBuckets at both bucket level and account level
You can't use bucket ACLs or object ACLs to grant public read access for buckets that have the S3 Object Ownership set to Bucket Owner Enforced. In this case, you must use policies to grant access to your bucket and the objects in the bucket. Requests to set or update ACLs fail, and you get the AccessControlListNotSupported error message. Request to read ACLs are still supported.

If you turned on Block Public Access settings for all S3 buckets in your account, then you see the message Bucket and objects not public. For more information, see Configuring block public access settings for your account.

Important: When you grant public read access to the objects, anyone on the internet can access these objects. If this isn't what you want, then make sure that your S3 bucket isn't publicly accessible. For more information, see Amazon S3 security best practices.

Related information

How can I grant public read access to some objects in my Amazon S3 bucket?

Topics

Storage

Relevant content

I can't put s3 object with --acl public-read option
Larry Kim
asked 2 months ago
grant access to one role in another account to all objects in an S3 bucket?
EricGfK
asked 3 years ago
How to make bucket or objects public?
GCFAC
asked 2 months ago
How to grant read permission to an s3 object in nodejs???
dmb0058
asked 6 months ago
Unable to upload an object to cross account S3 bucket through console - ACLs disabled
Accepted Answer
Prachi Kashikar
asked 15 days ago
What are some use cases for using an object ACL in Amazon S3?
AWS OFFICIALUpdated 2 years ago
When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me full control of the objects?
AWS OFFICIALUpdated 7 months ago
Why am I getting an Access Denied error when I open the URL to an Amazon S3 object that I have access to?
AWS OFFICIALUpdated 3 years ago
How can I grant public read access to some objects in my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published a year ago