Why does s3 return 403 and not 404?

Nov 3, 2017

S3 is an object storage service with abilities of serving a website. Sometimes, when an object isn't available, it sends 403 instead of 404.

The motivation behind is to prevent brute force attacks such as trying various names of objects in the bucket, and figure out what objects are present. In case of 404, attackers will retry by changing names and find if the objects exist or not.

Hence it returns 403, and the attackers can't retry random names.

It's a kind of resource enumeration attack where attacker will try random names to find valid objects.


You should go to about section on this site.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.