1 Answer
- Newest
- Most votes
- Most comments
0
Best practice is to have no publicly-accessible objects. All the "Block Public Access" settings should be on and you should not have any "Publicly accessible" warnings.
If you need to allow people access to objects from their web browser, the two secure options are:
- If the objects are assets for a public website, make the bucket a CloudFront origin. Don't use S3's built-in static website hosting (URLs like http://<bucket-name>.s3-website-<region>.amazonaws.com or http://<bucket-name>.s3-website.<region>.amazonaws.com) as it doesn't support http.
- If the objects are private then your app should vend presigned URLs providing secure temporary access.
Your URL "https://bucket.s3.us-north-8.amazonaws.com/img.png" looks more like an S3 REST API URL, which would be used from an application either directly or more typically via an API package such as Boto3 for Python. In this case your application would get secure access to S3 objects with IAM credentials.
Relevant content
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
But they mentioned that Amplify.Storage.GetURL is only to download image I want all user can acess my objects. just like other app even if you not loggged in you can access photos ex: twitter, instagram