Amazon S3 - private file is still downloadable for everyone?

I have some secret files which I want to restrict anonymous user from viewing/downloading. I have tried to make it private by running something like:

s3cmd setacl --acl-private s3://bucket/some/path/*.ext

Then I go to S3 Management Console, select the file, and click on Properties, I'm sure the Open/Download permission is un-checked for Everyone.

But copy the link https://s3-us-west-2.amazonaws.com/bucket/some/path/blah.ext, and paste into a new browser, it still can be open/download.

What I am missing?

Solution 1:

Check your bucket policy by going to bucket, then click on Properties and Edit Bucket Policy. If you have something like this:

    {
        "Sid": "Stmt1391783519913",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "s3:GetObject",
        ],
        "Resource": "arn:aws:s3:::bucket/*"
    },

it means that you are allowing everyone to download every files in this bucket.

According to the document:

If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.

That is the reason why an anonymous user can still open/download your files.

You can prevent it by adding a new policy like below:

    {
        "Sid": "Stmt1395306106592",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket/some/path/*.ext"
    },

Solution 2:

After you make a file private in S3, you may still be able to download it your browser has cached the file. As soon as you make the file private, it will return a 403 in any other browser (or private/incognito window), but may still be accessible from the original browser for a certain period of time.

If you want to confirm that the file is private, try downloading in a different browser (or curl, etc).