S3 bucket policy to allow anyone to view - but not list - all files in bucket?

Question

I guess an extremely common pattern for public S3 buckets is to allow anyone (ie the public) to view each file in a bucket if they got the URL for that object, but to not allow the public to list items in the bucket (ie they should not be able to generate a list of every item in the bucket).

This would probably be quite a common configuration for a lot of public websites which won't ever any assets that they have to hide from public view.

The first thing I did was went to S3 -> clicked on the bucket -> Permissions -> 'Block Public Access' -> Edit -> Uncheck all the boxes (thus allowing full public access to the items in the bucket).

But when I use the browser to visit an image URL directly, it's still 'Access Denied', which I suspect is because I have yet to allow public access via a Policy .

Question

What is the simplest policy to allow any member of the public to view (AKA 'read') any object in the S3 bucket ¹ , but not to list (ie see a list of all the objects) in the bucket?

¹ They'll need a URL to do so, unless they guess it.

Answer 1

Yes you are correct you are still getting access denied because there is no policy.

A simply policy to GET object would be. Docs for reference

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::Bucket-Name/*"
            ]
        }
    ]
}

Note : Here there is no usage of ListObject which does not give permission to user to list object in the bucket

Answer 2

In the AWS console visit: S3 -> click on your bucket -> Permissions -> Scroll down to 'Bucket policy' -> Click 'Edit'.

Note from S3 Policy Examples Docs :

Warning: Use caution when granting anonymous access to your Amazon S3 bucket or disabling block public access settings. When you grant anonymous access, anyone in the world can access your bucket. We recommend that you never grant anonymous access to your Amazon S3 bucket unless you specifically need to, such as with static website hosting.

For static website hosting where any member of the public should be able to access any file in the S3 bucket (but not list the files), here is the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Simply replace DOC-EXAMPLE-BUCKET with the name of your bucket.

Note: the public cannot 'list' the files in the bucket, since the "s3:ListBucket" Action is not included above.