Permissions Required for Website Access

When you configure a bucket as a website, you must make the objects you want to serve via the website endpoint publicly readable. You can accomplish this by writing a bucket policy granting everyone s3:GetObject permission. On the website endpoint, if users requests an object that does not exist, the website endpoint returns 404 (Not Found). However, if object exists but you have not granted read permission on the object, the website endpoint returns a 403 (Access Denied). This can allow a user to infer if specific objects exist in your bucket. If you do not want this behavior, you should not enable website support for your bucket.

The following sample bucket policy grants everyone access to the objects in the specified folder. For more information on bucket policies, see Using Bucket Policies.

{
  "Version":"2008-10-17",
  "Statement":[{
	"Sid":"PublicReadGetObject",
        "Effect":"Allow",
	  "Principal": {
            "AWS": "*"
         },
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

You can grant public read permission to your objects using either a bucket policy or an object ACL. To make an object publicly readable using an ACL, you grant READ permission to the AllUsers group as shown in the following grant element. You add this grant element to the object ACL. For more information on managing ACLs, see Using ACLs .

<Grant>
  <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  </Grantee>
  <Permission>READ</Permission>
</Grant>