Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Using Amazon S3 Block Public Access

Amazon S3 provides Block Public Access settings for buckets and accounts to help you manage public access to Amazon S3 resources. By default, new buckets and objects don't allow public access, but users can modify bucket policies or object permissions to allow public access. Amazon S3 Block Public Access provides settings that override these policies and permissions so that you can limit public access to these resources. With Amazon S3 Block Public Access, account administrators and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created.

When Amazon S3 receives a request to access a bucket or an object, it determines whether the bucket or the bucket owner's account has a Block Public Access setting. If there is an existing Block Public Access setting that prohibits the requested access, then Amazon S3 rejects the request. Amazon S3 Block Public Access provides four settings. These settings are independent and can be used in any combination, and each setting can be applied to a bucket or to an entire AWS account. If a bucket has Block Public Access settings that are different from its owner's account, Amazon S3 applies the most restrictive combination of the bucket-level and account-level settings. Thus, when Amazon S3 evaluates whether an operation is prohibited by a Block Public Access setting, it rejects any request that would violate either a bucket-level or an account-level setting.

Note

  • You can enable Block Public Access settings only for buckets and AWS accounts. Amazon S3 doesn't support Block Public Access settings on a per-object basis.

  • When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

Block Public Access Settings

Amazon S3 Block Public Access provides four settings. You can apply these settings in any combination to individual buckets or to entire AWS accounts. If you apply a setting to an account, it applies to all buckets that are owned by that account. The following table contains the available settings.

Name Description
BlockPublicAcls

Setting this option to TRUE causes the following behavior:

  • PUT Bucket acl and PUT Object acl calls fail if the specified access control list (ACL) is public.

  • PUT Object calls fail if the request includes a public ACL.

  • If this setting is applied to an account, then PUT Bucket calls fail if the request includes a public ACL.

When this setting is set to TRUE, the specified operations fail (whether made through the REST API, AWS CLI, or AWS SDKs). However, existing policies and ACLs for buckets and objects are not modified. This setting enables you to protect against public access while allowing you to audit, refine, or otherwise alter the existing policies and ACLs for your buckets and objects.

IgnorePublicAcls

Setting this option to TRUE causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. This setting enables you to safely block public access granted by ACLs while still allowing PUT Object calls that include a public ACL (as opposed to BlockPublicAcls, which rejects PUT Object calls that include a public ACL). Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.

BlockPublicPolicy

Setting this option to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. This setting enables you to allow users to manage bucket policies without allowing them to publicly share the bucket or the objects it contains. Enabling this setting doesn't affect existing bucket policies.

Important

To use this setting effectively, you should apply it at the account level. Because a bucket policy can allow users to alter a bucket's Block Public Access settings, users who have permission to change a bucket policy could insert a policy that allows them to disable the Block Public Access settings for the bucket. If this setting is enabled for the entire account, rather than for a specific bucket, then Amazon S3 blocks public policies even if a user alters the bucket policy to disable this setting.

RestrictPublicBuckets

Setting this option to TRUE restricts access to a bucket with a public policy to only AWS services and authorized users within the bucket owner's account. This setting blocks all cross-account access to the bucket (except by AWS services), while still allowing users within the account to manage the bucket.

Enabling this setting doesn't affect existing bucket policies, except that Amazon S3 blocks public and cross-account access derived from any public bucket policy, including non-public delegation to specific accounts.

Important

  • Calls to GET Bucket acl and GET Object acl always return the effective permissions in place for the specified bucket or object. For example, suppose that a bucket has an ACL that grants public access, but the bucket also has the IgnorePublicAcls setting enabled. In this case, GET Bucket acl returns an ACL that reflects the access permissions that Amazon S3 is enforcing, rather than the actual ACL that is associated with the bucket.

  • Because Block Public Access settings don't alter existing policies or ACLs, removing a Block Public Access setting causes a bucket or object with a public policy or ACL to again be publicly accessible.

The Meaning of "Public"

  • ACLs

    • Amazon S3 considers a bucket or object ACL public if it grants any permissions to members of the predefined AllUsers or AuthenticatedUsers groups. For more information about predefined groups, see Amazon S3 Predefined Groups.

  • Policies

    • When evaluating a bucket policy, Amazon S3 begins by assuming that the policy is public, and then evaluates the policy to determine whether it qualifies as non-public. In order to be considered non-public, a bucket policy must grant access only to fixed values (values that don't contain a wildcard) of one or more of the following:

      • A set of Classless Inter-Domain Routings (CIDRs), using aws:SourceIp. For more information about CIDR, see RFC 4632 on the RFC Editor website.

      • An AWS principal, user, role, or service principal

      • aws:SourceArn

      • aws:SourceVpc

      • aws:SourceVpce

      • aws:SourceOwner

      • aws:SourceAccount

      • s3:x-amz-server-side-encryption-aws-kms-key-id

      • aws:userid, outside the pattern "AROLEID:*"

    • Under these rules, the following example policies are considered public:

      { “Principal”: { “Federated”: “graph.facebook.com” }, “Resource”: “*”, “Action”: “s3:PutObject”, “Effect”: “Allow” }
      { “Principal”: “*”, “Resource”: “*”, “Action”: “s3:PutObject”, “Effect”: “Allow” }
      { “Principal”: “*”, “Resource”: “*”, “Action”: “s3:PutObject”, “Effect”: “Allow”, “Condition”: { “StringLike”: {“aws:SourceVpc”: “vpc-*”}} }

      These policies could be made non-public by including any of the condition keys listed previously, using a fixed value. For example, the last policy above could be made non-public by setting aws:SourceVpc to a fixed value, like this:

      { “Principal”: “*”, “Resource”: “*”, “Action”: “s3:PutObject”, “Effect”: “Allow”, “Condition”: {“StringEquals”: {“aws:SourceVpc”: “vpc-91237329”}} }
    • For more information about bucket policies, see Using Bucket Policies and User Policies.

Example

This example shows how Amazon S3 evaluates a policy that contains both public and non-public access grants.

Suppose that a bucket has a policy that grants access to a set of fixed principals. Under the previously described rules, this policy isn't public. Thus, if you enable the RestrictPublicBuckets setting, the policy remains in effect as written, because RestrictPublicBuckets only applies to buckets that have public policies. However, if you add a public statement to the policy, then RestrictPublicBuckets takes effect on the bucket and allows only AWS service principals and authorized users of the bucket owner's account to access the bucket.

As an example, suppose that a bucket owned by "Account-1" has a policy that contains the following:

  1. A statement that grants access to AWS CloudTrail (which is an AWS service principal)

  2. A statement that grants access to account "Account-2"

  3. A statement that grants access to the public, for example by specifying "Principal": "*" with no limiting Condition

This policy qualifies as public because of the third statement. With this policy in place and RestrictPublicBuckets enabled, Amazon S3 allows access only by CloudTrail. Note that even though statement 2 isn't public, S3 disables access by "Account-2." This is because statement 3 renders the entire policy public, so RestrictPublicBuckets applies. As a result, S3 disables cross-account access, even though the policy delegates access to a specific account, "Account-2." But if you remove statement 3 from the policy, then the policy doesn't qualify as public, and RestrictPublicBuckets no longer applies. Thus, "Account-2" regains access to the bucket, even if you leave RestrictPublicBuckets enabled.

Permissions

To use Amazon S3 Block Public Access features, you must have the following permissions.

Operation Required Permissions
GET bucket policy status s3:GetBucketPolicyStatus
GET bucket Block Public Access settings s3:GetBucketPublicAccessBlock
PUT bucket Block Public Access settings s3:PutBucketPublicAccessBlock
DELETE bucket Block Public Access settings s3:PutBucketPublicAccessBlock
GET account Block Public Access settings s3:GetAccountPublicAccessBlock
PUT account Block Public Access settings s3:PutAccountPublicAccessBlock
DELETE account Block Public Access settings s3:PutAccountPublicAccessBlock

Note

The DELETE operations require the same permissions as the PUT operations. There are no separate permissions for the DELETE operations.

Examples

Using Block Public Access with the AWS CLI

You can use Amazon S3 Block Public Access through the AWS CLI. The command you use depends on whether you want to perform a Block Public Access call on a bucket or on an account. For more information about setting up and using the AWS CLI, see What is the AWS Command Line Interface?

  • Bucket

    • In order to perform Block Public Access operations on a bucket, use the AWS CLI service s3api. The bucket-level operations that use this service are:

      • PUT PublicAccessBlock (for a bucket)

      • GET PublicAccessBlock (for a bucket)

      • DELETE PublicAccessBlock (for a bucket)

      • GET BucketPolicyStatus

  • Account

    • In order to perform Block Public Access operations on an account, use the AWS CLI service s3control. The account-level operations that use this service are:

      • PUT PublicAccessBlock (for an account)

      • GET PublicAccessBlock (for an account)

      • DELETE PublicAccessBlock (for an account)

Using Block Public Access with the AWS SDK for Java

The following examples show how to use Amazon S3 Block Public Access with the AWS SDK for Java. For instructions on how to create and test a working sample, see Using the AWS SDK for Java.

Example 1

This example shows how to set a Public Access Block configuration on an S3 bucket using the AWS SDK for Java.

AmazonS3 client = AmazonS3ClientBuilder.standard() .withCredentials(<credentials>) .build(); client.setPublicAccessBlock(new SetPublicAccessBlockRequest() .withBucketName(<bucket-name>) .withPublicAccessBlockConfiguration(new PublicAccessBlockConfiguration() .withBlockPublicAcls(<value>) .withIgnorePublicAcls(<value>) .withBlockPublicPolicy(<value>) .withRestrictPublicBuckets(<value>)));

Important

This example pertains only to bucket-level operations, which use the AmazonS3 client class. For account-level operations, see the following example.

Example 2

This example shows how to put a Public Access Block configuration on an S3 account using the AWS SDK for Java.

AWSS3ControlClientBuilder controlClientBuilder = AWSS3ControlClientBuilder.standard(); controlClientBuilder.setRegion(<region>); controlClientBuilder.setCredentials(<credentials>); AWSS3Control client = controlClientBuilder.build(); client.putPublicAccessBlock(new PutPublicAccessBlockRequest() .withAccountId(<account-id>) .withPublicAccessBlockConfiguration(new PublicAccessBlockConfiguration() .withIgnorePublicAcls(<value>) .withBlockPublicAcls(<value>) .withBlockPublicPolicy(<value>) .withRestrictPublicBuckets(<value>)));

Important

This example pertains only to account-level operations, which use the AWSS3Control client class. For bucket-level operations, see the preceding example.

Using Block Public Access with Other AWS SDKs

For information about using the other AWS SDKs, see Using the AWS SDKs, CLI, and Explorers.

Using Block Public Access with the REST APIs

For information about using Amazon S3 Block Public Access through the REST APIs, see the following topics in the Amazon Simple Storage Service API Reference.