Amazon S3 — buckets and public objects

Beginner
⏱️ 8 min read
📚 Updated: Aug 2025
S3 / IAM / console
Amazon S3 console create bucket

What you’ll learn

Amazon Simple Storage Service (S3) is object storage for files, images, logs, backups, and static site artifacts. In this guide you create a bucket, upload a test object, and attach a minimal bucket policy so the object’s URL loads anonymously in a browser—useful for learning how GetObject permissions work.

S3 complements compute: for example you might serve user uploads or marketing assets from S3 while your app runs on EC2 or behind an Application Load Balancer. Pairing S3 with CloudFront and private buckets is the usual production pattern; this page keeps the console flow from the original tutorial with clearer security framing.

Prerequisites

Before you begin, ensure you have the following:

  • An AWS account with permission to create S3 buckets and edit bucket policies (for example s3:CreateBucket, s3:PutBucketPolicy, and object write actions).
  • Comfort using the S3 console in a non-production account or sandbox, because you will briefly allow public read access.

Create an S3 bucket

Bucket names are globally unique and DNS-like; pick a name you control, for example my-company-assets-dev.

  1. Sign in to the AWS Management Console and open S3.

  2. Choose Create bucket.

    S3 console with Create bucket button
    Amazon S3

  3. Under General configuration, type a unique Bucket name and choose an AWS Region.

    S3 bucket general configuration name and Region
    Amazon S3

  4. Under Object Ownership, keep ACLs disabled (recommended) unless you have a legacy workflow that requires ACLs.

    S3 object ownership ACLs disabled recommended
    Amazon S3

  5. To follow this tutorial’s public object URL test, clear Block all public access and acknowledge the warning. This exposes only what your bucket policy explicitly allows—still verify you are not uploading sensitive data.

    S3 Block Public Access settings for the bucket
    Amazon S3
  6. Leave other defaults unless your organisation requires encryption or versioning from day one, then choose Create bucket.

Upload objects

  1. Open the bucket from the bucket list.

  2. Choose Upload and add one or more files (for example a PNG or JPEG).

    S3 bucket upload button in the console
    Amazon S3

  3. Review permissions and properties, then choose Upload at the bottom of the wizard.

    S3 upload wizard files and folders ready to upload
    Amazon S3

Configure a public read bucket policy

  1. Stay in the bucket and open the Permissions tab.
  2. Scroll to Bucket policy and choose Edit.

  3. Paste a policy that allows anonymous s3:GetObject on all objects in the bucket. Replace your-bucket-name with your bucket name (the ARN must match exactly).

    Bucket policy (JSON)
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    }
  ]
}
  4. Save the policy. If the console reports errors, confirm the JSON is valid and the bucket name in the ARN matches.

Test the object URL

  1. Open the Objects list inside the bucket.
  2. Select an object you uploaded.

  3. Under Object URL, copy the HTTPS link or open it in a new tab.

    S3 object details showing Object URL
    Amazon S3

  4. When the policy is correct, the image or file loads without signing in. You can embed that URL in HTML <img src="..."> for static marketing pages, or migrate the same objects behind CloudFront later.

    Browser displaying an image loaded from S3 object URL
    Browser

Explore more S3 capabilities

After you are comfortable with buckets and policies, experiment with features that matter for operations and cost:

  • Versioning — retain multiple variants of an object and recover from accidental overwrites.
  • Server access logging — record request metadata to another bucket for auditing.
  • Static website hosting — serve index.html error documents from a website endpoint (often combined with CloudFront).
  • Lifecycle rules — transition objects to cheaper storage classes or expire them on a schedule.

Key takeaways

1

Buckets are regional containers; object keys form the logical path inside the bucket.

2

Block Public Access must allow your intent before any Principal: "*" policy can grant anonymous reads.

3

The Object URL is a quick smoke test; production stacks usually keep data private and use CloudFront or signed URLs.

Frequently asked questions

Check that Block Public Access is not blocking the policy, the bucket policy statement uses the correct bucket ARN, and there is no explicit deny elsewhere. Also confirm you are using the object URL for the right Region and key.
AWS recommends bucket policies and IAM with ACLs disabled for new workloads. Policies centralise permissions on the bucket and are easier to audit than per-object ACLs.
S3 is flat object storage addressed by bucket plus key prefix. The console shows folders for convenience, but there are no classical directories; operations are API calls such as ListObjectsV2 and GetObject.

Next: copy objects locally

Use the AWS CLI to download one file, a whole prefix, or filtered file types from the same bucket.

S3 CLI download →
Did you know?

S3 is designed for eleven nines of durability for objects stored across multiple devices and Availability Zones in a Region. Your application still needs correct permissions, encryption choices, and lifecycle rules for compliance and cost control.

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

AWS Certified Developer – Associate (Credly)

8 people found this page helpful

CloudFront Download files from an Amazon S3 bucket to your computer