packages/docs/docs/lambda/bucket-security.mdx
Before Remotion Lambda, v4.0.418, buckets created with Remotion Lambda used a public-read ACL. This means that:
privacy option in renderMediaOnLambda()) are accessible to anyone.If you also accepted user uploads to the bucket, anyone could list the bucket and see user items.
If you did not set the privacy option for renders, anyone could list the bucket and see renders.
From Remotion Lambda v4.0.418, the default is to not set an ACL, but to set a bucket policy:
privacy option in renderMediaOnLambda()) are only accessible if you know the URL.This new default only applies for newly created buckets and only if you added the s3:PutBucketPolicy permission to your IAM user.
Existing buckets and new buckets created without the s3:PutBucketPolicy permission will continue to have a public-read ACL.
s3:PutBucketPolicy is only available as part of getUserPolicy() since v4.0.418.
Since it is not required for the public to be able to list the bucket, we recommend disabling this to minimize exposure of your files.
For new buckets: Ensure you add s3:PutBucketPolicy to your IAM user policy (default only from v4.0.418, if upgrading, you need to manually update your user policy). Then create a bucket.
For existing buckets: Visit the bucket in the S3 console. Go to "permissions". Under Access control list, click Edit and remove List for Everyone.