• Resolved jonathanmoorebcsorg


    “WP Offload Media needs to be able to make objects in the bucket public readable”
    This permission should not be required: could there be an option to turn it off (which should be enabled by default).

    Buckets and contents should not be public since S3 cannot provide the appropriate certificates, access should be via CloudFront and bucket policy for CloudFront Origin Access Identity which allows CloudFront to read and serve up the private S3 files, with appropriate https certificates etc, thus allowing the bucket setting Block all public access: On to be retained.

    Please allow compatibility with Block all public access On for compliance with best practices.

    Also, the plugin is fixing the expected CDN to the upload path which may not be the case, for example one might have upload path:
    but the url in CloudFront can still be:
    or whatever according to however the origin is set up in CloudFront.

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘excessive s3 permissions demanded’ is closed to new replies.