Bucket and Object Access: Private and Public
- 25 Jun 2024
- 4 Minutes to read
- Print
- PDF
Bucket and Object Access: Private and Public
- Updated on 25 Jun 2024
- 4 Minutes to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Bucket Access
By default, access to a bucket is private. You can change this with the Public Access Override setting for a bucket.
In addition, you can use a policy to make access available to:
- Specific IP addresses
- Public (any Internet user)
By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
Defining a Bucket Policy for Public Access
As a precaution, a bucket intended for public access must have an associated policy.
Before defining a policy, you may want to review the Policies feature and Bucket Policy information.
The following is a sample policy that allows for public access to a bucket. Change the bucket name in the Resource section (arn:aws:s3:::YOURBUCKET, shown in the example below) to reflect your resource name.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::YOURBUCKET/*"
}]
}Note that the following are the general formats for ARNs:
arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id
arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id
After defining the policy for a bucket, you can access files directly via either of these URLs:
- YOURBUCKETNAME.s3.wasabisys.com/FILENAME
- s3.wasabisys.com/YOURBUCKET/FILENAME
Restricted Access for Specific IP Addresses
You can restrict access to objects in your bucket to a specific IP address by attaching a policy that contains an allowed IP address range in the Condition statement. Below is an example of a policy that restricts access to two IP addresses.
- 179.22.0.0/16 restricts all IP addresses within the /16 subnet, and
- 129.34.67.24/32 restricts just that specific IP address
{
"Id": "Policy1512590315712",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512590314407",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["179.22.0.0/16","129.34.67.24/32"]
}
}
}
]
}Folder and File Access
Public access makes a folder available to any Internet user. This includes the ability to read objects from the bucket. Make sure there is no sensitive data in a folder that you make public.
By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
You can set public access in two ways:
- Defining a policy, as described below
- Using Settings features for Making a Folder(s) Public or Private and Making a File(s) Public or Private
Defining a Public Access Policy
The following is a sample policy that allows for public access to a folder. Change the bucket and folder name in the Resource section (arn:aws:s3:::bucket-public/myfolder, shown in the example below) to reflect your resource name.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
"AWS": ""
},
"Action": [ "s3:GetObject", "s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-public/myfolder/*"
}]
}Note that the following are the general formats for ARNs:
arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id
arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id
After defining the policy, you can access files directly via either of these URLs:
- YOURBUCKETNAME.s3.wasabisys.com/FILENAME<FolderName>
- s3.wasabisys.com/YOURBUCKET/<FolderName>/FILENAME
Making a Folder(s) Public or Private
By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
When you make a folder public, all files in the folder are made publicly available so that anyone can access it through the Internet without permission from these URLs:
[bucketname].[serviceURL]/[path/filename]
[serviceURL]/[bucketname]/[path/filename]
Refer to the Wasabi Knowledge Base for service URLs for different regions.
[bucketname].[serviceURL]/[path/filename]
[serviceURL]/[bucketname]/[path/filename]
Refer to the Wasabi Knowledge Base for service URLs for different regions.
The Public Access feature is intended as a one-time setting, which overrides the status settings for individual files within the folder. If files are later uploaded into the folder, they are automatically uploaded as private. You may want to consider using a bucket policy to automatically set the status of files to be public (Bucket Policy).
- In the Objects list, click the folder icon
. On the Folder Details panel, slide to enable/disable the Make Folder Public option.Or:
In the Objects list, click
in the Actions column to the right of an individual folder name. Select Make Public or Make Private.Or:
Click
to select one or multiple folders. Then, click the More Options button:
and select Make Public or Make Private.
- A message indicates that making large quantities of objects public (or private) can be inefficient. If you plan to modify more than 10,000 objects, Wasabi recommends that you use a bucket policy or update ACLs using the CLI. Click Continue after considering this warning.
- If you are making the folder(s) public, another warning is displayed. It indicates that the selected objects will be public and accessible by anyone who has Read permissions. Click OK to accept this condition.
. On the Folder Details panel, slide to enable/disable the Make Folder Public option.
in the Actions column to the right of an individual folder name. Select Make Public or Make Private.
to select one or multiple folders. Then, click the More Options button:
When a folder is public, the Folder Details appears as:
Making a File(s) Public or Private
By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
- In the Objects list, click anywhere (except) in the row of the file. On the File Details panel, slide to enable/disable the Make Folder Public option.
Or:
In the Objects list, click
in the Actions column to the right of an individual file name. Select Make Public or Make Private.Or:
Click
to select one or multiple files. Then, click the More Options button:
and select Make Public or Make Private. - If you are making the file(s) public, a warning indicates that the selected objects will be public and accessible by anyone who has Read permissions. If required, click OK to accept this condition.
When a file is public, the File Details appears as:
Linking to a File and Copying the File Path
When a file is public, you can click the Link To File path to access the file. In addition, you can copy the path, such as to provide access to someone.
