How can I grant public read access to some objects in my Amazon S3 bucket?

Last updated: 2019-05-10

I want some objects in my Amazon Simple Storage Service (Amazon S3) bucket to be publicly readable. However, I don't want to change the permissions on other objects that are in the same bucket. How can I do that?

Short Description

Enable public read access in one of these ways:

  • Update the object's access control list (ACL) using the Amazon S3 console
  • Update the object's ACL using the AWS Command Line Interface (AWS CLI)
  • Use a bucket policy that grants public read access to a specific object tag
  • Use a bucket policy that grants public read access to a specific prefix

Resolution

Important: Before you begin, confirm that you don't have any Block Public Access settings on the bucket that prevent you from making the objects public. By default, Block Public Access settings are set to True on new S3 buckets.

Update the object's ACL using the Amazon S3 console

To make several objects public at once, follow these steps:

  1. Open the Amazon S3 console.
  2. From the list of buckets, choose the bucket with the objects that you want to update.
  3. Navigate to the folder that contains the objects.
  4. From the object list, select all the objects that you want to make public.
  5. Choose Actions, and then choose Make public.
  6. In the Make public dialog box, confirm that the list of objects is correct.
  7. Choose Make public.

To make an individual object public, follow these steps:

  1. From the Amazon S3 console, choose the bucket with the object that you want to update.
  2. Navigate to the folder that contains the object.
  3. From the object list, choose the name of the object.
  4. Choose the Permissions tab.
  5. Under Public access, choose Everyone.
  6. In the Everyone dialog box, for Access to the object, select Read object.
  7. Choose Save.

Update the object's ACL using the AWS CLI

For an object that's already stored on Amazon S3, you can run this command to update its ACL for public read access:

aws s3api put-object-acl --bucket awsexamplebucket --key exampleobject --acl public-read

Or, you can run this command to grant full control of the object to the AWS account owner, and read access to everyone else:

aws s3api put-object-acl --bucket awsexamplebucket --key exampleobject --grant-full-control emailaddress=accountowneremail@emaildomain.com --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

Use a bucket policy that grants public read access to a specific object tag

Important: Before you begin, be sure to review the pricing for S3 Object Tagging.

First, add a bucket policy that allows public read access to any objects with a specific tag. For example, this policy allows public read access for any object that's tagged with the key-value pair public=yes:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::awsexamplebucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/public": "yes"
                }
            }
        }
    ]
}

Then, add the tag to the objects that you want to be publicly readable. You can add object tags by using the Amazon S3 console. Or, you can use the AWS CLI.

To check if an object has any existing tags, run this AWS CLI command: 

aws s3api get-object-tagging --bucket awsexamplebucket --key exampleobject

To add a tag to an object that doesn't have any existing tags, run this command:

Warning: This command overwrites any existing object tags. 

aws s3api put-object-tagging --bucket awsexamplebucket --key exampleobject --tagging 'TagSet={Key=public,Value=yes}'

To add a tag to an object that has existing tags, run the following command. Be sure to include the new object tag, as well as the existing tags that you want to keep. 

aws s3api put-object-tagging --bucket awsexamplebucket --key exampleobject --tagging 'TagSet=[{Key=public,Value=n},{Key=exampletag1,Value=one},{Key=exampletag2,Value=two}]'

After you add the object tag, run this command to review the tags of all the objects: 

aws s3api get-object-tagging --bucket awsexamplebucket --key exampleobject

Use a bucket policy that grants public read access to a specific prefix

To grant public read access to a specific object prefix, add a bucket policy similar to the following: 

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::awsexamplebucket/publicprefix/*"]
      }
  ]
}

Then, copy the objects into the prefix with public read access. You can copy an object into the prefix by running a command similar to the following:

aws s3 cp s3://awsexamplebucket/exampleobject s3://awsexamplebucket/publicprefix/exampleobject

Did this article help you?

Anything we could improve?


Need more help?