Certain paid accounts (not trial accounts) can change this with the Public Access Override setting for a bucket if the Wasabi account was established before March 13, 2023. Accounts created after this date cannot enable public access using the Console or CLI. Wasabi recommends that you use another option, such as presigned URLs, to share your documents. If you require public bucket access, contact Wasabi Support for assistance.
As a precaution, a bucket intended for public access must have an associated policy.
The following is a sample policy that allows for public access to a bucket. Change the bucket name in the Resource section (arn:aws:s3:::YOURBUCKET, shown in the example below) to reflect your resource name.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::YOURBUCKET/*"
}]
}arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id
After defining the policy for a bucket, you can access files directly via either of these URLs:
- YOURBUCKETNAME.s3.wasabisys.com/FILENAME
- s3.wasabisys.com/YOURBUCKET/FILENAME
Restricted Access for Specific IP Addresses
You can restrict access to objects in your bucket to a specific IP address by attaching a policy that contains an allowed IP address range in the Condition statement. Below is an example of a policy that restricts access to two IP addresses.
- 179.22.0.0/16 restricts all IP addresses within the /16 subnet, and
- 129.34.67.24/32 restricts just that specific IP address
{
"Id": "Policy1512590315712",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512590314407",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["179.22.0.0/16","129.34.67.24/32"]
}
}
}
]
}