Amazon S3 - private file is still downloadable for everyone?
Check your bucket policy by going to bucket, then click on Properties and Edit Bucket Policy. If you have something like this:
{
"Sid": "Stmt1391783519913",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
],
"Resource": "arn:aws:s3:::bucket/*"
},
it means that you are allowing everyone to download every files in this bucket.
According to the document:
If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.
That is the reason why an anonymous user can still open/download your files.
You can prevent it by adding a new policy like below:
{
"Sid": "Stmt1395306106592",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/some/path/*.ext"
},