By default, if you set a bucket to use the "Public" access policy via the Minio console, the listing of all objects within that bucket will be shown when somebody accesses the root of the bucket (e.g. https://s3.example.com/mybucket).
This means that the user can then see the entire contents of the bucket and can scrape through the content (as shown below). While in some cases, this may be a useful and encouraged behavior - it is often not the case. We can overcome this issue by applying a custom access policy that sets a more stringent set of permissions to the public user which prevents the contents of the bucket from being listed.
Modified Public Access Policy
Change %bucketname% with the bucket you wish to apply the policy to.
Applying the Policy to the Bucket
The GUI Way
- Login to Minio Console
- On the Bucket Overview Screen, click on the current access policy (Yellow L)
- Change to “Custom” in the dropdown.
- Drop the JSON from above into the Custom Policy Editor (Yellow C)
The CLI Way
- Download the Minio Client if you don't already have it. You can download it here!
- Connect to your Minio Server mc.exe alias set local http://host:port ACCESS_KEY SECRET_KEY
- Set the policy defined above mc.exe policy set-json C:\path\policy.json local/%bucketname%
The policy should now be applied to the bucket and when you try to access the root of the bucket, you will now see an Access Denied error rather than the object listing.