Ping a Specific Port

Question

quanta

Asked: 2014-03-21 08:23:14 +0800 CST2014-03-21 08:23:14 +0800 CST 2014-03-21 08:23:14 +0800 CST

Amazon S3 - private file is still downloadable for everyone?

772

I have some secret files which I want to restrict anonymous user from viewing/downloading. I have tried to make it private by running something like:

s3cmd setacl --acl-private s3://bucket/some/path/*.ext

Then I go to S3 Management Console, select the file, and click on Properties, I'm sure the Open/Download permission is un-checked for Everyone.

But copy the link https://s3-us-west-2.amazonaws.com/bucket/some/path/blah.ext, and paste into a new browser, it still can be open/download.

What I am missing?

2 Answers

Voted

quanta · Answer 1 · 2014-03-21T08:23:14+08:00

Best Answer

quanta

2014-03-21T08:23:14+08:002014-03-21T08:23:14+08:00

Check your bucket policy by going to bucket, then click on Properties and Edit Bucket Policy. If you have something like this:

    {
        "Sid": "Stmt1391783519913",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "s3:GetObject",
        ],
        "Resource": "arn:aws:s3:::bucket/*"
    },

it means that you are allowing everyone to download every files in this bucket.

According to the document:

If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.

That is the reason why an anonymous user can still open/download your files.

You can prevent it by adding a new policy like below:

    {
        "Sid": "Stmt1395306106592",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket/some/path/*.ext"
    },

5

Reed Tomlinson · Answer 2 · 2019-12-23T08:30:42+08:00

Reed Tomlinson

2019-12-23T08:30:42+08:002019-12-23T08:30:42+08:00

After you make a file private in S3, you may still be able to download it your browser has cached the file. As soon as you make the file private, it will return a 403 in any other browser (or private/incognito window), but may still be accessible from the original browser for a certain period of time.

If you want to confirm that the file is private, try downloading in a different browser (or curl, etc).

1

Amazon S3 - private file is still downloadable for everyone?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?