Security Considerations
What You Have Accepted
Enabling public read access on a bucket is a deliberate security trade-off. You have granted anonymous access to all objects in this bucket. This is correct for public web content — your HTML, CSS, and JavaScript are meant to be public. The security concern is not about the content itself, but about what else might end up in this bucket.
Never store environment files, API keys, build secrets, .env files, or any non-public artifact in a publicly accessible hosting bucket. Even with a restrictive prefix in your policy, human error in deployment pipelines can expose sensitive files. The safest approach is to use a dedicated bucket for public hosting, separate from any bucket used for build artifacts, backups, or configuration.
Principle of Least Privilege Applied
The bucket policy in this lab grants only s3:GetObject. This means callers can fetch objects but cannot upload, delete, list, or modify anything. An attacker with this policy applied cannot write to your bucket, cannot enumerate your content, and cannot alter your site. This is least privilege in practice — grant exactly the permissions required for the use case, nothing more.
HTTPS Limitation
The S3 website endpoint is HTTP only. Transmitting content over HTTP exposes your users to content injection attacks (man-in-the-middle). For any production site, place CloudFront in front of your S3 origin. CloudFront provides HTTPS termination, a free TLS certificate via AWS Certificate Manager, and the ability to enforce HTTPS-only access. This is a non-negotiable requirement for any site you would ship to real users.
Object Enumeration
Because the bucket policy does not include s3:ListBucket, unauthenticated users cannot enumerate what objects exist in the bucket. They can only fetch objects at known paths. This reduces your exposure surface, but does not eliminate it — any path a user can guess or find in your HTML can be fetched directly.
Security Layer Check
Question 1 of 1
Your CI/CD pipeline accidentally uploads a .env file containing database credentials to your public hosting bucket. The bucket policy grants s3:GetObject to *. What is the impact?