S3 Online Access Checker

Paste an Amazon S3, CloudFront, or pre-signed file URL. This page asks a Cloudflare Pages Function to check the link from the server side, avoiding normal browser CORS limitations.

S3 / file URL

The checker uses HEAD first, then a small ranged GET fallback if HEAD is blocked.

When the S3 link is not online

Use the steps below when the checker returns 403 Access Denied, 404 Not Found, or cannot confirm access. These steps follow the AWS S3 static website access guidance.

1. Check the object path first

Open the object in AWS S3 and confirm the object key exactly matches the URL, including folder path, spaces, +, uppercase/lowercase, and file extension.

2. Check Block Public Access

For a public S3 website/object, AWS requires public access to be allowed at the bucket level and, if restricted there, also at the account level. S3 applies the most restrictive setting.

3. Preferred method: bucket policy

Use a bucket policy to grant anonymous s3:GetObject permission to the objects. Replace YOUR-BUCKET-NAME with your real bucket name.

4. Alternative method: object ACL

Use object ACLs only when needed, for example when objects are not owned by the bucket owner. If Object Ownership is Bucket owner enforced, ACLs are disabled and you must use policies.

Method A — Make objects public by bucket policy

Open the S3 console and select your bucket.
Go to Permissions.
Under Block public access, choose Edit.
Clear Block all public access, save changes, and confirm the warning only if the content is safe to publish publicly.
Under Bucket policy, choose Edit.
Paste the policy below and update the bucket name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
    }
  ]
}

Method B — Make a specific object public by ACL

Use this only if your bucket has ACLs enabled and you need object-level permission. Add public READ permission for the AWS AllUsers group on the object ACL.

<Grant>
  <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  </Grantee>
  <Permission>READ</Permission>
</Grant>

Other common checks

If the URL contains X-Amz-Signature, it is a pre-signed URL and may have expired. Generate a new one.
If using S3 static website hosting, test the website endpoint, not only the normal S3 object endpoint.
If you do not want to disable Block Public Access, use CloudFront in front of the S3 bucket instead.
403 usually means permission/signature problem. 404 usually means wrong bucket, region, key path, filename, or URL encoding.

Manual test

curl -I "YOUR-S3-LINK"

For large videos, do not download the whole file just to test access. Use curl -I or a ranged request.