Global outage event

If you're experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.

How do I grant public read access to some objects in my Amazon S3 bucket?

6 minute read

I want some objects in my Amazon Simple Storage Service (Amazon S3) bucket to be publicly readable. But I don't want to change the permissions on other objects that are in the same bucket.

Short description

Use one of the following ways to grant public read access to objects in your S3 bucket:

Use the Amazon S3 console to update the object's access control list (ACL).
Use the AWS Command Line Interface (AWS CLI) to update the object's ACL.
Use a bucket policy that grants public read access to a specific object tag.
Use a bucket policy that grants public read access to a specific prefix.

Important: When you set S3 Object Ownership to Bucket owner enforced on your bucket, you can't use bucket and object ACLs to grant public access. In most cases, you don't need ACLs to grant permissions to objects and buckets. Instead, use AWS Identity Access and Management (IAM) policies and S3 bucket policies to grant permissions.

New buckets, access points, and objects don't allow public access by default. If you configured block public access for all buckets within your AWS account, then you get the "Bucket and objects not public" message.

To access the public bucket, make sure that your network doesn't have firewalls or settings that block outbound traffic to the bucket's domain.

Resolution

Important: By default, block public access settings are set to True on new S3 buckets. Before you begin, change the block public access settings to False at the account level or the bucket level.

Use the Amazon S3 console to update the object's ACL

Make several objects public at once

Warning: Carefully review the objects before you make them public. After you make several objects public, you can't undo this action for all the objects at once. Instead, you must modify Public access in the Permissions tab of each object.

To make several objects public at once, complete the following steps:

Open the Amazon S3 console, and then select the objects that you want to make public.
Choose Actions, and then choose Make public.
In the Make public dialog box, confirm that the list of objects is correct.
Choose Make public.

Make one object public

To make only one object public, repeat the previous process or complete the following steps:

Open the Amazon S3 console, and then select the bucket for the object that you want to make public.
In Objects, select the object.
Choose the Permissions tab, and then choose Edit.
In the Everyone section, choose Objects Read.
Select I understand the effects of these changes on this object.
Choose Save changes.

Use the AWS CLI to update the object's ACL

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

For an object that's already stored in Amazon S3, you can run the put-object-acl command to update the object's ACL for public read access:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key exampleobject --acl public-read

Note: Replace exampleobject with your object.

Or, you can run the following put-object-acl command to grant full control of the object to the account owner and read access to everyone else:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key exampleobject --grant-full-control id="008exampleA45666666668889999008853" --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

Note: For grant-full-control id, enter the account's canonical user ID.

Use a bucket policy that grants public read access to a specific object tag

Important: Before you begin, be sure to review the Amazon S3 pricing for object tagging.

To use a policy to grant public read access to objects with a specific tag, complete the following steps:

Add a bucket policy that allows public read access to any objects with a specific tag. For example, the following policy allows public read access for any object that has the public=yes key-value pair tag:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/public": "yes"
                }
            }
        }
    ]
}

Add the tag to the objects that you want to be publicly readable.

To check what tags an object has, run the get-object-tagging command in the AWS CLI:

aws s3api get-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject

To add a tag to an object that doesn't have any tags, run the following put-object-tagging command:

aws s3api put-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject --tagging 'TagSet={Key=public,Value=yes}'

Warning: The preceding command overwrites all the tags that an object has.

To add a new tag to an object that already has tags, run the following put-object-tagging command:

aws s3api put-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject --tagging 'TagSet=[{Key=public,Value=n},{Key=exampletag1,Value=one},{Key=exampletag2,Value=two}]'

Note: Make sure to include the new object tag and the old tags that you want to keep.

To verify the object's tags, run the get-object-tagging command again:

aws s3api get-object-tagging --bucket DOC-EXAMPLE-BUCKET --key exampleobject

Use a bucket policy that grants public read access to a specific prefix

Warning: The following bucket policy grants public read access to all objects under a specific prefix. Before you use the bucket policy, confirm that your use case supports all publicly readable objects within the prefix. The following policy doesn't grant list access for the prefix. Your user can access the object only when the object path is known. If your user tries to access an object that doesn't exist in the prefix, then your user receives a 403 error.

To grant public read access to a specific object prefix, add the following bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/publicprefix/*"
            ]
        }
    ]
}

Run the cp command to copy an object to the prefix with public read access:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/exampleobject s3://DOC-EXAMPLE-BUCKET/publicprefix/exampleobject

Note: If the object already has a publicly readable prefix, then you don't need to copy the object to a new prefix.

Access public S3 buckets or objects from restricted networks

To access public S3 buckets or objects from restricted networks, you can add a bucket policy that allows access from a specific IP address range. The following example policy allows the GET request from the 192.0.2.0/24 and 203.0.113.0/24 CIDR ranges:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "192.0.2.0/24",
                        "203.0.113.0/24"
                    ]
                }
            }
        }
    ]
}