-1

Suppose I have an S3 bucket that has "Everyone Read" permission. Bucket is not public. Means anyone can access objects by typing its url in the browser. Now I want to remove this access from URL thing in browser. One option is to go to each images and remove "Read" from "Everyone" section. But since there are huge amount of images so this is not feasible.

So can I put such bucket policy which allows access only from one IAM user and not from browser thing? I tried adding such bucket policy that allow access to all resources for only specific user but still images are accessible from browsing through URL. Any thoughts?

Edit: Adding policy that I tried

{
  "Id": "Policy1",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::test-bucket-public-issue",
      "Principal": {
        "AWS": [
          "arn:aws:iam::AccounId:user/Username"
        ]
      }
    }
  ]
}
Vaisakh PS
  • 1,017
  • 10
  • 17
Himanshu Mohan
  • 714
  • 8
  • 25

1 Answers1

1

Ok @Himanshu Mohan I will explain you what i have done. I have created a S3 bucket and then i added the below bucket policy

{
    "Version": "2012-10-17",
    "Id": "Policy1534419239074",
    "Statement": [
        {
            "Sid": "Stmt1534419237657",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::xxx-xxx-test/*"
        }
    ]
}

While adding this policy the bucket will automatically public enter image description here

Then i have uploaded an image as what you referred and i was able to access the same image via browser.

Now I changed the policy back to as what you said enter image description here

Now i was not able to access the image, will show the access denied xml response. The only difference i see is i have added the /* after the bucket name "Resource": "arn:aws:s3:::xxx-xxx-test/*".

Vaisakh PS
  • 1,017
  • 10
  • 17
  • Hi @Vaisakh. There is a differnce between our scenarios. In my case every image has "Read" Permisssion as "Yes" for "Everyone" Group (under Each Image -> Permissions -> Public Access). So even i performed same steps as you did i am still able to access image publicily. – Himanshu Mohan Aug 17 '18 at 06:14
  • @HimanshuMohan If you have explicitly given access to each object then you have to revert it back to private then apply the above policy. For that run the below CLI command from any ec2 machine which have the S3 access. `aws s3 ls --recursive s3://test-bucket-public-issue | cut -d' ' -f5- | awk '{print $NF}' | while read line; do echo "$line" aws s3api put-object-acl --acl private --bucket test-bucket-public-issue --key "$line" done` reference - https://stackoverflow.com/questions/9238629/s3-make-a-public-folder-private-again – Vaisakh PS Aug 17 '18 at 08:34
  • The thing is it is uploaded through s3fs plugin for Drupal Website. And every time it is uploading any image these settings are coming by default. So even if I manually remove this permission, the subsequent future upload will again be of public access. And these images are access from Website having s3fs with particular user access key and token. – Himanshu Mohan Aug 17 '18 at 09:07
  • Then it has to be handled inside the code, for the objects which are there inside the bucket you can change the permission using the script. The other one you have handle inside the code/plugin. – Vaisakh PS Aug 17 '18 at 09:13