- Newest
- Most votes
- Most comments
Where does the 301 redirect to? Does it go to https://BUCKETNAME.s3.us-east-1.amazonaws.com/index.html
? If so, then the end result will be 403.
Update: If you're redirecting to an external website then the policy is still working as designed - it's not retrieving an object at that point, it's performing a redirect so the logic that says "you can't perform a GetObject call" isn't being executed yet.
Bigger question: What's the end result you're trying to get here? If you're redirecting within the bucket then things will work as expected: The first call will redirect to an object to which access will then be denied. Or is there another outcome expected?
Update the second: The API and website endpoints are definitely different - in this case (a GET request for an object that doesn't exist) the API endpoint behaves as expected because the GET request reaches the storage layer and is then evaluated against the policy before it is allowed to "see" if the object exists. The website endpoint is different because it is following web server semantics; the redirect takes effect first - and in this case it is for an object that doesn't exist anyway.
I'm not as familiar with Cloudflare as I am with AWS; but if you were doing this with CloudFront I'd do the redirect from the www
site within the CDN - that way you don't have to have the second bucket and it saves you time and cost on the requests to it.
Relevant content
- asked 4 months ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
It makes no difference what I set as the redirect address. I updated my question including my test setting it to google.com.
Thank you for your response! My situation involves two AWS S3 buckets - one hosts a static website while the other redirects www to the apex domain. A non-AWS proxy, in this case Cloudflare (or, alternatively, a Traefik reverse proxy), is set up to connect to these buckets. My objective is to allow visitors to access the buckets only through the proxy, and disallow any direct request to the bucket. To this end, I have included the proxy's IP addresses as an IpAddress condition.
As a newcomer to AWS and cloud computing, I find the GetObject permission documentation somewhat ambiguous regarding how it applies to both the API and WEBSITE endpoints. Based on what I understand, the permission covers all get operations on the bucket, and even if the server redirects instead of providing a file, direct requests should be blocked. However, I'm still unsure about how to limit access to the WEBSITE endpoint. Can you offer guidance on this topic?