I want some objects in my Amazon Simple Storage Service (Amazon S3) bucket to be publicly readable, but I don't want to change the permissions on other objects that are in the same bucket. How can I do that?

Enable public read access in one of these ways:

  • Update the object's access control list (ACL) using the Amazon S3 console
  • Update the object's ACL using the AWS Command Line Interface (AWS CLI)
  • Use a bucket policy that grants public read access to a specific object tag
  • Use a bucket policy that grants public read access to a specific prefix

Update the object's ACL using the Amazon S3 console

To make several objects public at once, follow these steps:

  1. Open the Amazon S3 console.
  2. From the list of buckets, choose the bucket with the objects that you want to update.
  3. Navigate to the folder that contains the objects.
  4. From the object list, select all the objects that you want to make public.
  5. Choose Actions, and then choose Make public.
  6. In the Make public dialog box, confirm that the list of objects is correct.
  7. Choose Make public.

To make an individual object public, follow these steps:

  1. From the Amazon S3 console, choose the bucket with the object that you want to update.
  2. Navigate to the folder that contains the object.
  3. From the object list, choose the name of the object.
  4. Choose the Permissions view.
  5. Under Public access, choose Everyone.
  6. In the Everyone dialog box, for Access to the object, select Read object.
  7. Choose Save.

Update the object's ACL using the AWS CLI

For an object that's already stored on Amazon S3, you can run this command to update its ACL for public read access:

aws s3api put-object-acl --bucket bucket-name --key my_object --acl public-read

Or, you can run this command to grant full control of the object to the AWS account owner, and read access to everyone else:

aws s3api put-object-acl --bucket bucket-name --key my_object --grant-full-control emailaddress=accountowneremail@emaildomain.com --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

Use a bucket policy that grants public read access to a specific object tag

Important: Before you begin, be sure to review the pricing for S3 Object Tagging.

First, add a bucket policy that allows public read access to any objects with a specific tag. For example, this policy allows public read access for any object that's tagged with the key-value pair public=yes:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/public": "yes"
                }
            }
        }
    ]
}

Then, add the tag to the objects that you want to be publicly readable. You can add object tags by using the Amazon S3 console. Or, you can use the AWS CLI.

To check if an object has any existing tags, run this AWS CLI command:

aws s3api get-object-tagging --bucket bucketname --key my_object

To add a tag to an object that doesn't have any existing tags, run this command:

Warning: This command overwrites any existing object tags.

aws s3api put-object-tagging --bucket bucketname --key my_object --tagging 'TagSet={Key=public,Value=yes}'

To add a tag to an object that has existing tags, run the following command. Be sure to include the new object tag, as well as the existing tags that you want to keep.

aws s3api put-object-tagging --bucket bucketname --key my_object --tagging 'TagSet=[{Key=public,Value=n},{Key=exampletag1,Value=one},{Key=exampletag2,Value=two}]'

After you add the object tag, run this command to review the tags of all the objects:

aws s3api get-object-tagging --bucket bucketname --key my_object

Use a bucket policy that grants public read access to a specific prefix

To grant public read access to a specific object prefix, add a bucket policy similar to the following:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/publicprefix/*"]
    }
  ]
}

Then, copy the objects into the prefix with public read access. You can copy an object into the prefix by running a command similar to the following:

aws s3 cp s3://examplebucket/object s3://examplebucket/publicprefix/object

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-26