0

First, let me link you context:

https://stackoverflow.com/a/9285074/6347501

I'm trying to create a public bucket for some app I'm writing. I have a policy to allow PUT and GET on all items in the bucket. But, as you can see from the link above, the policy simply won't apply to any items Put into the bucket that don't give me ownership.

Is there any solution? Is it actually possible to create a truly public bucket?

Ideally every object in this bucket is accessible to everyone regardless of who uploaded it.

Community
  • 1
  • 1
Hunter
  • 159
  • 1
  • 7

1 Answers1

0

Heres a working policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

It denies any objects that don't use the canned ACL "bucket-owner-full-access," which are also objects that would ignore our open GetObject policy.

Hunter
  • 159
  • 1
  • 7
  • This is the correct way to implement a really bad idea. A public bucket begs to be abused. – Michael - sqlbot Jul 17 '16 at 03:52
  • Have you considered that this might not be a production policy? – Hunter Jul 17 '16 at 03:56
  • I would assert that a public-writable bucket has exactly zero valid use cases. Sign the requests. – Michael - sqlbot Jul 17 '16 at 04:25
  • 1
    well, it does have one, when im not trying to release something to production, and im short on time. hows that? id like to hear how that, which is quite useful, is invalid, or why its any of your business whether or not its valid for that matter. – Hunter Jul 17 '16 at 04:31