Min.io S3 Server - Disable Public Object Listings

If Minio is publicly displaying the contents of your bucket when in "PUBLIC" access mode, use this guide to help you restrict the visibility of the object listibg while retaining public access of the objects themselves.

By default, if you set a bucket to use the "Public" access policy via the Minio console, the listing of all objects within that bucket will be shown when somebody accesses the root of the bucket (e.g. https://s3.example.com/mybucket).

This means that the user can then see the entire contents of the bucket and can scrape through the content (as shown below). While in some cases, this may be a useful and encouraged behavior - it is often not the case. We can overcome this issue by applying a custom access policy that sets a more stringent set of permissions to the public user which prevents the contents of the bucket from being listed.

Publicly Visible Object Keys in Root of Bucket

Modified Public Access Policy

Source/Credit: https://stackoverflow.com/a/66187305

Change %bucketname% with the bucket you wish to apply the policy to.

{
   "Statement":[
      {
         "Action":[
            "s3:GetBucketLocation"
         ],
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "*"
            ]
         },
         "Resource":[
            "arn:aws:s3:::%bucketname%"
         ]
      },
      {
         "Action":[
            "s3:GetObject"
         ],
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "*"
            ]
         },
         "Resource":[
            "arn:aws:s3:::%bucketname%/*"
         ]
      }
   ],
   "Version":"2012-10-17"
}
Bucket Policy JSON

Applying the Policy to the Bucket

The GUI Way

  1. Login to Minio Console
  2. On the Bucket Overview Screen, click on the current access policy (Yellow L)
  3. Change to “Custom” in the dropdown.
  4. Drop the JSON from above into the Custom Policy Editor (Yellow C)
A screenshot showing the Minio Policy editor set to a Custom Policy
Minio Policy Editor

The CLI Way

  1. Download the Minio Client if you don't already have it. You can download it here!
  2. Connect to your Minio Server mc.exe alias set local http://host:port  ACCESS_KEY SECRET_KEY
  3. Set the policy defined above mc.exe policy set-json C:\path\policy.json local/%bucketname%

The policy should now be applied to the bucket and when you try to access the root of the bucket, you will now see an Access Denied error rather than the object listing.

Access denied error when accessing the root of the bucket.