Simplest and tightest way to secure S3 buckets for static websites

0

Hi folks, I am trying to find clear and up-to-date docs that describe the "minimal" and most "tight" (but simplest) way (using the Permissions tab options on the S3 console) to secure my S3 bucket from Public 'writes' while using it serve a static website. As i understand it the Bucket Policy should read as below [1]. However, the docs for "Block Public Access" settings (the 1st tab) are not clear to me and I cannot find a combination of the public access settings that does not result in a scary 'warning' about public access (e.g., there are 4 boolean settings there along the lines of: "Block public access to buckets and objects granted through new access control lists (ACLs)", and so on (3 other related settings)).

Any clear notes or thoughts? Thank you!

ref: [1]:

{
  "Version":"2012-10-17",
  "Statement":[{
	"Sid":"PublicReadGetObject", "Effect":"Allow", "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::example-my-bucket-id/*"
      ]
    }
  ]
}

Edited by: beanstalkfalch on Sep 3, 2019 7:19 AM

asked 5 years ago323 views
1 Answer
0

Thanks for the note on improving our documentation, we'll look into adding more examples for website hosting permissions.

To restrict write permissions to the bucket, your bucket policy already does so. To ensure your bucket ACL limits write permission, you could consider enabling three of the four S3 Block Public Access settings. These would be BlockPublicAcls, IgnorePublicAcls, and BlockPublicPolicy. The two ACL settings will block new public ACLs from being applied and will block public access permitted by current ACLs. The BlockPublicPolicy setting will leave your existing bucket policy in place but block the addition of a new bucket policy permitting public access. This would be useful if you do not intend to change your existing policy and want to block changes. Here's a link with more info: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

AWS
awsrwx
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions