Skip to main content

Preventing Object Listing for Public Buckets on Minio

By default, if you set a bucket to use the "Public" access policy via the Minio console, the listing of all objects within that bucket will be shown when somebody accesses the root of the bucket (e.g. https://s3.example.com/mybucket). This means that the user can then see the entire contents of the bucket and can scrape through the content (as shown below). While in some cases, this may be a useful and encouraged behavior - it is often not the case. We can overcome this issue by applying a custom access policy that sets a more stringent set of permissions to the public user which prevents the contents of the bucket from being listed.

Bucket Contents Shown

Modified Public Access Policy

Source/Credit: https://stackoverflow.com/a/66187305

Change %bucketname% with the bucket you wish to apply the policy to.

{
   "Statement":[
      {
         "Action":[
            "s3:GetBucketLocation"
         ],
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "*"
            ]
         },
         "Resource":[
            "arn:aws:s3:::%bucketname%"
         ]
      },
      {
         "Action":[
            "s3:GetObject"
         ],
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "*"
            ]
         },
         "Resource":[
            "arn:aws:s3:::%bucketname%/*"
         ]
      }
   ],
   "Version":"2012-10-17"
}


Applying the Policy to the Bucket

  1. Download the Minio Client if you don't already have it. You can download it here!
  2. Connect to your Minio Server mc.exe alias set local http://host:port  ACCESS_KEY SECRET_KEY
  3. Set the policy defined above mc.exe policy set-json C:\path\policy.json local/%bucketname%

The policy should now be applied to the bucket and when you try to access the root of the bucket, you will now see an Access Denied error rather than the object listing (as shown below).

Bucket Contents Hidden