How to configure amazon S3 bucket for read-only access to host a static website?

0

I have a very small (static) website hosted on Amazon S3. Yesterday I received the following message, that had this subject line:

Notification of Amazon S3 buckets configured for public access

And the message had this this content (screenshot):

enter image description here

Hello,

We’re writing to notify you that your AWS account XXXXXXX has one or more S3 buckets that allow read or write access from any user on the Internet. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access.

Unless you have a specific reason (such as hosting a public website) for this configuration, we recommend that you update your bucket and restrict public access. Your list of buckets configured to allow access by anyone on the Internet as of August 9, 2019 are:

ACCOUNT_XXXXXXXXXXXXXXXXXXX

If you did not intend to provide public access to this bucket then you should take immediate action by enabling S3 Block Public Access 1 on this bucket. This feature is free of charge and it only takes a minute to enable. For step by step instructions on setting up S3 Block Public Access via the S3 management console, see Jeff Barr’s blog 2. Once you’ve locked down your bucket, we recommend checking for past unintended access to your bucket per the instructions below on analyzing logs.

For more information on S3 Block Public Access, check out the video tutorial on Amazon S3 Block Public Access 3. For AWS's definition of "Public Access," please see The Meaning of "Public” [4].

I logged in to my Amazon S3 account and tried to find a way to set up my files for the read-only access. Again, all it has to do is to allow anyone to download. That is it. (As I was obviously not aware of anyone being able to modify my files when I set it up. Allowing this by default would be kinda silly, don't you think?)

I was able to find these controls:

enter image description here

but I honestly got a raging headache trying to understand how to do that.

Can someone please explain how can I set up my files for read-only access?


EDIT: To reply to the answer below, the bucket policy is already set to this:

enter image description here

c00000fd

Posted 2019-09-02T02:25:11.510

Reputation: 339

1The ambiguous targeting of this email is unfortunate. It says "read or write access" but it literally means "read and/or write access" -- maybe just read, maybe just write, maybe both -- you can't determine from this notification whether the bucket is publicly readable (as you intended) or whether it's publicly writable (as you did not intend). – Michael - sqlbot – 2019-09-02T15:55:40.363

@Michael-sqlbot man, this is really messed up. Now I totally understand how those S3 buckets get compromised. It's not only so fr*king confusing to set up those permissions, they are also confused themselves who to notify. – c00000fd – 2019-09-02T19:17:15.510

Answers

1

Click on Bucket Policy and make sure action as below.

"Action": "s3:GetObject",

Get Object means people can read only.

PJang

Posted 2019-09-02T02:25:11.510

Reputation: 11

I checked, and it's already set to that line (besides some other stuff.) I updated my question with a screenshot. Do I need to remove the rest of it, or what? – c00000fd – 2019-09-02T07:08:11.110

That looks perfect, Its Read-Only Access to public. You don't have to make any changes. – PJang – 2019-09-02T11:00:12.237

Thanks. Now (the rhetorical) question is how am I supposed to know at this? How is it in any human logic that "GetObject" would mean "read-only".... or do I need to complete a month-long Amazon-only-security course to know all this. (Just venting.) – c00000fd – 2019-09-02T19:18:05.083

Hello, it is somewhat difficult to understand initially if you don't know JSON policies. Here are some of the reference you can read to understand how it works. https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

https://awspolicygen.s3.amazonaws.com/policygen.html

– PJang – 2019-09-03T00:30:48.103