AWS · Cloudintermediate

AWS S3 Bucket Policy — Secure Public Read

An S3 bucket policy that allows public read of static assets while forcing HTTPS and blocking every other action — a common CDN/origin setup.

s3awsbucket-policysecurityhttpscdn

Preview

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-public-assets/*"
    },
    {
      "Sid": "DenyInsecureTransport",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-public-assets",
        "arn:aws:s3:::my-public-assets/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

AI actions

Documentation

Purpose

Serve static files publicly over HTTPS while denying insecure transport and any write/delete action.

When to use

A public assets bucket behind a CDN, a static website origin, or any bucket serving read-only files to anonymous users.

Required fields

  • Version — policy language version
  • Statement — the permission statements
  • Principal — who the statement applies to ("*" = everyone)
  • Resource — bucket and object ARNs

Optional fields

  • Sid — statement id
  • Condition — e.g. aws:SecureTransport, aws:Referer, source VPC

Best practices

  • Always pair a public-read Allow with a deny-insecure-transport statement.
  • Prefer serving through CloudFront and locking the bucket to its OAI/OAC.
  • Keep Block Public Access on unless the bucket genuinely must be public.

Security considerations

  • Public read means anyone on the internet can fetch every object — never store secrets here.
  • The SecureTransport deny below blocks plain HTTP; keep it.
  • Review with S3 Access Analyzer before shipping public policies.