How to change Public access to private for S3 Bucket Policy

2
votes

I am Newbie on AWS S3, I created the bucket, On that I stored User profile photo and our daily basis data backup (Upload on frequent interval) on S3.

When I Open the S3

Access: Public is showing

And when I opened the Bucket there is Permissions tab which also showing public.

My Bucket Policy is also Public,

Tell what is the standard and secure implementation for creating the bucket.

If I remove public access then user will get its profile photo or not? If I remove public access then My Database Backup will upload or not?

I know there is Private option which is recommended but after changing from public to private I am afraid that my photo and database backup will not work.

My Bucket policy is 

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucketname/*"
        }
    ]
}

This policy it is clear that this will allow all.

Anyone who have Strong knowledge and have expertise on that please suggest me some good way to fix this issue. Any help or support or suggestion is really appreciated.

1
amazon-web-servicesamazon-s3

1 Answers

1
votes

All objects in Amazon S3 are private by default. This means that they can only be accessed by providing AWS credentials. This is good.

If you wish to make an object Public, then anybody can access the object. The above Bucket Policy is making the entire bucket public, so anybody can call GetObject on the bucket. Admittedly, they will need to know the name of the object since they cannot list the contents of the bucket, but the objects are publicly accessible.

It is normally best-practice to only grant access to data as necessary. So, if you have a website where you wish to show user profile photos, then making them public might be okay. However, it is unlikely that you want the entire world to have access to your data backups. Therefore, making the whole bucket public is probably not a good idea.

There are several ways to grant access to objects in Amazon S3:

  • A Bucket Policy can make a bucket, or part of a bucket, public.
  • Access Control Lists (ACLs) on an individual object can make that object public
  • IAM Permissions can be added to IAM Users and IAM Groups to grant access to specific users
  • Pre-signed URLs can grant time-limited access to an object

If you have an application that is showing the profile pictures, but you do not wish to make the profile pictures public, your application can generate a Pre-Signed URL that provides temporary access to a private object. This URL can be used in a <img src=.../> tag on a web page. After the expiry period, the URL will no longer work.

So, the best approach is to keep objects private unless you have a specific reason to make them public. Using pre-signed URLs is a great way to provide temporary access.

See: Share an Object with Others - Amazon Simple Storage Service