By default, all objects in Amazon S3 are private. Objects can then be made “public” by adding permissions through one of:
- Object Access Control List (ACL): Setting permission directly to the object
- Bucket Policy:. Refers to a bucket, can determine the rules related to subdirectories, key name (file names), time of day, IP address, etc.
- IAM policy: applies to specific users or groups
As long as one of these methods provides access, a person will be able to access the object. It is also possible to assign Deny permissions that override Allow permissions.
When an object is accessed through an unauthenticated URL (for example, s3.amazonaws.com/bucket-name/object-key ), the above rules determine access. However, even “private” files can be accessed if you authenticate the service, for example, calling the S3 API with user credentials or using a pre-signed URL.
To find out how this works, click the personal file in the Amazon S3 management console and select Open from the Actions menu. The object will be open. This is done by providing the browser with a pre-signed URL, which includes a cryptographic-sized URL and expiration date. The URL will work to receive a private file only until a certain time.
So, to answer your question, you can still access private files through:
- Open command in console
- Pre-Signed URLs in a Web Browser
- Authenticated API Calls
Just be careful that you don’t define DENY rules that even block your ability to access files. It’s easier to just ALLOW the directories you want to publish.
See: Query String Validation Alternative