Go slowly   About  Contact  Archives

S3 Setup for Serving Public Content

IAM policy

Create a specific IAM user to interact with S3 bucket, and Cloudfront if you use a CDN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::assets.example.com/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudfront:CreateInvalidation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Bucket policy

You should allow public objects, ACLs, and add a get public object policy for the bucket:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::assets.example.com/*"
        }
    ]
}

Bucket CORS

Allow CORS if you intend to use your assets cross domains:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "HEAD",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 3000
    }
]

Written on January 13, 2023.