How do I have an S3 bucket return 404 (instead of 403) for a key that does not exist in the bucket/

Question

I am using S3 to store some business critical documents. I want the bucket to return a 404 status code when trying to access an object that does not exist in the bucket.

Answer 1

S3 returns a 403 instead of a 404 when the user doesn't have permission to list the bucket contents.

If you query for an object and receive a 404, then you know that object doesn't exist. This is information you shouldn't know if you don't have permission to list the bucket contents so instead of telling you it doesn't exist, S3 just tells you that you're trying to do something you're not allowed to do. When you get a 403 instead of a 404 you have no way of knowing that the object you requested doesn't exist. It might not exist or it might exist and you just don't have permission to access it. There's no way for you to know for sure and so no security is bypassed.

I believe anyone with access to list the bucket contents will get a 404 instead of a 403.