AWS · Cloudintermediate
AWS S3 Bucket Policy — Secure Public Read
An S3 bucket policy that allows public read of static assets while forcing HTTPS and blocking every other action — a common CDN/origin setup.
s3awsbucket-policysecurityhttpscdn
Preview
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-public-assets/*"
},
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-public-assets",
"arn:aws:s3:::my-public-assets/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}AI actions
Documentation
Purpose
Serve static files publicly over HTTPS while denying insecure transport and any write/delete action.
When to use
A public assets bucket behind a CDN, a static website origin, or any bucket serving read-only files to anonymous users.
Required fields
- Version — policy language version
- Statement — the permission statements
- Principal — who the statement applies to ("*" = everyone)
- Resource — bucket and object ARNs
Optional fields
- Sid — statement id
- Condition — e.g. aws:SecureTransport, aws:Referer, source VPC
Best practices
- Always pair a public-read Allow with a deny-insecure-transport statement.
- Prefer serving through CloudFront and locking the bucket to its OAI/OAC.
- Keep Block Public Access on unless the bucket genuinely must be public.
Security considerations
- Public read means anyone on the internet can fetch every object — never store secrets here.
- The SecureTransport deny below blocks plain HTTP; keep it.
- Review with S3 Access Analyzer before shipping public policies.