Contents x
      Bucket and Object Access
      • 23 Feb 2024
      • Print
      • PDF
      Contents

      Bucket and Object Access

      • Updated on 23 Feb 2024
      • Print
      • PDF
      Article Summary

      Bucket Access

      By default, access to a bucket is private. However, you can use a policy to make access available to:

      • Specific IP addresses
      • Public (any Internet user)
      By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.

      Defining a Bucket Policy for Public Access

      As a precaution, a bucket intended for public access must have an associated policy.

      Before defining a policy, you may want to review the Policies feature and Bucket Policy information.

      The following is a sample policy that allows for public access of a bucket. Change the bucket name in the Resource section (arn:aws:s3:::YOURBUCKET, shown in the example below) to reflect your resource name.

      {
      "Version": "2012-10-17",
      "Statement": [{
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
      "AWS": "*"
      },
      "Action": [
      "s3:GetObject",
      "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws:s3:::YOURBUCKET/*"
      }]
      }
      Note that the following are the general formats for ARNs:
      arn:aws:service:account-id:resource-id
      arn:aws:service:account-id:resource-type/resource-id
      arn:aws:service:account-id:resource-type:resource-id

      After defining the policy for a bucket, you can access files directly via either of these URLs:

      • YOURBUCKETNAME.s3.wasabisys.com/FILENAME
      • s3.wasabisys.com/YOURBUCKET/FILENAME

      Restricted Access for Specific IP Addresses

      You can restrict access to objects in your bucket to a specific IP address by attaching a policy that contains an allowed IP address range in the Condition statement. Below is an example of a policy that restricts access to two IP addresses.

      • 179.22.0.0/16 restricts all IP addresses within the /16 subnet, and
      • 129.34.67.24/32 restricts just that specific IP address
      {
      "Id": "Policy1512590315712",
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "Stmt1512590314407",
      "Effect": "Deny",
      "Principal": {
      "AWS": "*"
      },
      "Action": "*",
      "Resource": [
      "arn:aws:s3:::my-bucket",
      "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
      "NotIpAddress": {
      "aws:SourceIp": ["179.22.0.0/16","129.34.67.24/32"]
      }
      }
      }
      ]
      }

      Folder and File Access

      Public access makes a folder available to any Internet user. This includes the ability to read objects from the bucket. Make sure there is no sensitive data in a folder that you make public.
      By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.

      You can set public access in two ways:

      Defining a Public Access Policy

      The following is a sample policy that allows for public access of a folder. Change the bucket and folder name in the Resource section (arn:aws:s3:::bucket-public/myfolder, shown in the example below) to reflect your resource name.

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
      "AWS": ""
      },
      "Action": [ "s3:GetObject", "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bucket-public/myfolder/*"
      }]
      }
      Note that the follow are the general formats for ARNs:
      arn:aws:service:account-id:resource-id
      arn:aws:service:account-id:resource-type/resource-id
      arn:aws:service:account-id:resource-type:resource-id

      After defining the policy, you can access files directly via either of these URLs:

      • YOURBUCKETNAME.s3.wasabisys.com/FILENAME<FolderName>
      • s3.wasabisys.com/YOURBUCKET/<FolderName>/FILENAME

      Making a Folder(s) Public or Private

      By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
      When you make a folder public, all files in the folder are made publicly available so that anyone can access it through the Internet without permission from these URLs:

           [bucketname].[serviceURL]/[path/filename]
           [serviceURL]/[bucketname]/[path/filename]

      Refer to the Wasabi Knowledge Base for service URLs for different regions.

      The Public Access feature is intended as a one-time setting, which overrides the status settings for individual files within the folder. If files are later uploaded into the folder, they are automatically uploaded as private. You may want to consider using a bucket policy to automatically set the status of files to be public (Bucket Policy).

      1. In the Objects list, click the folder icon. On the Folder Details panel, slide to enable/disable the Make Folder Public option.

        Or:

        In the Objects list, clickin the Actions column to the right of an individual folder name. Select Make Public or Make Private.

        Or:

        Clickto select one or multiple folders. Then, clickand select Make Public or Make Private.

      2. A message indicates that making large quantities of objects public (or private) can be inefficient. If you plan to modify more than 10,000 objects, Wasabi recommends that you use a bucket policy or update ACLs using the CLI. Click Continue after considering this warning.
      3. If you are making the folder(s) public, another warning is displayed. It indicates that the selected objects will be public and accessible by anyone who has Read permissions. Click OK to accept this condition.

      When a folder is public, the Folder Details appears as:

      Making a File(s) Public or Private

      By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
      1. In the Objects list, click anywhere (except) in the row of the file. On the File Details panel, slide to enable/disable the Make Folder Public option.

        Or:

        In the Objects list, clickin the Actions column to the right of an individual file name. Select Make Public or Make Private.

        Or:

        Clickto select one or multiple files. Then, clickand select Make Public or Make Private.

      2. If you are making the file(s) public, a warning indicates that the selected objects will be public and accessible by anyone who has Read permissions. If required, click OK to accept this condition.

      When a file is public, the File Details appears as:

      Linking to a File and Copying the File Path

      When a file is public, you can click the Link To File path to access the file. In addition, you can copy the path, such as to provide access to someone.


      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.