S3 owner access rights

Tags: ACG

Understanding common questions will help you understand S3 access permissions better.

Why can I not access the image file in S3 if I am the owner of the file and I have Read and Write access in my permission next to my name? Why do I need to make the object Public to everyone?

That depends on how you are trying to access it. Lets step back and look at this in steps.

1. The Bucket and content is owned by the AWS Account. You (as in your IAM account) does not own it, but is given rights to via the Bucket policy, or User policy (opens in new tab) / role that you are associated with.

2. There are two ways to access the object from the console:

  • When you are looking at the object details in S3 in the top left is an Open button. This allows you to open the object from within AWS and therefore permission comes via the; IAM bucket policy or your IAM account, policy and/or Role.
  • However if you use the URL at the bottom, you are accessing it over the internet with the same right as any other anonymous internet user. When you come in from the internet S3 has no way to absolutely identify you from your internet connection so you are considered anonymous. You will notice that it has the AWS S3 public S3 address.

There is no magic were S3 looks at the internet user IP address or browser cookies and checks to see if your account has an IAM user to match based on IP address and guesses as to whether to give you access or not.

When you come in though the public interface you are just Public. The only variation is if you use pre-signed URLs or session cookies where you have by some other means previously identified your browser session as having identity and rights.

back to top

If you need help, please contact Pluralsight Support.