Blocking public access to your Amazon S3storage

The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts tohelp you manage public access to Amazon S3 resources. By default, new buckets, access points, and objectsdon't allow public access. However, users can modify bucket policies, access point policies, orobject permissions to allow public access. S3 Block Public Access settings override thesepolicies and permissions so that you can limit public access to these resources.

With S3 Block Public Access, account administrators and bucket owners can easily set upcentralized controls to limit public access to their Amazon S3 resources that are enforcedregardless of how the resources are created.

For instructions on configuring public block access, see Configuring block publicaccess.

When Amazon S3 receives a request to access a bucket or an object, it determines whether thebucket or the bucket owner's account has a block public access setting applied. If therequest was made through an access point, Amazon S3 also checks for block public access settings for theaccess point. If there is an existing block public access setting that prohibits the requestedaccess, Amazon S3 rejects the request.

Amazon S3 Block Public Access provides four settings. These settings are independent and can beused in any combination. Each setting can be applied to an access point, a bucket, or an entireAWS account. If the block public access settings for the access point, bucket, or account differ,then Amazon S3 applies the most restrictive combination of the access point, bucket, and accountsettings.

When Amazon S3 evaluates whether an operation is prohibited by a block public access setting,it rejects any request that violates an access point, bucket, or account setting.

Important

Public access isgranted to buckets and objects through access control lists (ACLs), access point policies, bucket policies, orall. To help ensure that all of your Amazon S3 access points, buckets, and objects have theirpublic access blocked, we recommend that you turn on all four settings for block publicaccess for your account. Additionally, we recommend that you also turn on all four settings for each bucket to comply with AWS Security Hub Foundational Security Best Practices control S3.8. These settings block public access for all current and futurebuckets and access points.

Before applying these settings, verify that your applications will workcorrectly without public access. If you require some level of public access to yourbuckets or objects, for example to host a static website as described at Hosting a static website using Amazon S3, you can customize theindividual settings to suit your storage use cases.

Enabling Block Public Access helps protect your resources by preventing public access frombeing granted through the resource policies or access control lists (ACLs) that aredirectly attached to S3 resources. In addition to enabling Block Public Access,carefully inspect the following policies to confirm that they don't grant publicaccess:

Identity-based policies attached to associated AWS principals (for example, IAM roles)
Resource-based policies attached to associated AWS resources (for example, AWS Key Management Service (KMS) keys)

Note

You can enable block public access settings only for access points, buckets, andAWS accounts. Amazon S3 doesn't support block public access settings on aper-object basis.
When you apply block public access settings to an account, the settings applyto all AWS Regions globally. The settings might not take effect in all Regionsimmediately or simultaneously, but they eventually propagate to allRegions.

Topics

Block public accesssettings

S3 Block Public Access provides four settings. You can apply these settings in anycombination to individual access points, buckets, or entire AWS accounts. If you apply asetting to an account, it applies to all buckets and access points that are owned by thataccount. Similarly, if you apply a setting to a bucket, it applies to all access pointsassociated with that bucket.

The following table contains the available settings.

Name	Description
`BlockPublicAcls`	Setting this option to`TRUE` causes the followingbehavior: `PutBucketAcl` and`PutObjectAcl` calls fail if the specifiedaccess control list (ACL) is public. `PutObject` calls fail if the request includes a public ACL. If this setting is applied to an account, then`PUT Bucket` calls fail ifthe request includes a public ACL. When this setting is set to`TRUE`, the specified operations fail (whethermade through the REST API, AWS CLI, or AWS SDKs). However, existingpolicies and ACLs for buckets and objects aren't modified. Thissetting enables you to protect against public access while allowingyou to audit, refine, or otherwise alter the existing policies andACLs for your buckets and objects. Note Access points don't have ACLs associated with them. If youapply this setting to an access point, it acts as a passthrough to theunderlying bucket. If an access point has this setting enabled, requestsmade through the access point behave as though the underlying bucket hasthis setting enabled, regardless of whether the bucket actuallyhas this setting enabled.
`IgnorePublicAcls`	Setting this option to`TRUE` causes Amazon S3 to ignore all public ACLs on abucket and any objects that it contains. This setting enables you tosafely block public access granted by ACLs while still allowing`PutObject` calls that include a public ACL (asopposed to`BlockPublicAcls`, which rejects`PutObject` calls that include a public ACL).Enabling this setting doesn't affect the persistence of any existingACLs and doesn't prevent new public ACLs from being set. Note Access points don't have ACLs associated with them. If youapply this setting to an access point, it acts as a passthrough to theunderlying bucket. If an access point has this setting enabled, requestsmade through the access point behave as though the underlying bucket hasthis setting enabled, regardless of whether the bucket actuallyhas this setting enabled.
`BlockPublicPolicy`	Setting this option to`TRUE` for a bucket causes Amazon S3 to reject calls to`PutBucketPolicy` if the specified bucket policyallows public access. Setting this option to`TRUE` for abucket also causes Amazon S3 to reject calls to`PutAccessPointPolicy` for all of the bucket'ssame-account access points if the specified policy allows public access. Setting this option to`TRUE` for an access point causes Amazon S3 to reject calls to`PutAccessPointPolicy` and`PutBucketPolicy` that are made through the access point ifthe specified policy (for either the access point or the underlying bucket)allows public access. You can use this setting to allow users to manage access point and bucketpolicies without allowing them to publicly share the bucket or theobjects it contains. Enabling this setting doesn't affect existingaccess point or bucket policies. Important To use this setting effectively, we recommend that you applyit at theaccount level. A bucket policycan allow users to alter a bucket's block public accesssettings. Therefore, users who have permission to change abucket policy could insert a policy that allows them to disablethe block public access settings for the bucket. If this settingis enabled for the entire account, rather than for a specificbucket, Amazon S3 blocks public policies even if a user alters thebucket policy to disable this setting.
`RestrictPublicBuckets`	Setting this option to`TRUE` restricts access to anaccess point or bucket with a public policy to only AWS service principalsand authorized users within the bucket owner's account and access pointowner's account. This setting blocks all cross-account access to theaccess point or bucket (except by AWS service principals), while stillallowing users within the account to manage the access point orbucket. Enabling this setting doesn't affect existing access point or bucketpolicies, except that Amazon S3 blocks public and cross-account accessderived from any public access point or bucket policy, including non-publicdelegation to specific accounts.

Important

Calls toGetBucketAcl andGetObjectAcl always return theeffective permissions in place for the specified bucket or object. Forexample, suppose that a bucket has an ACL that grants public access, but thebucket also has theIgnorePublicAcls setting enabled. In thiscase,GetBucketAcl returns an ACL that reflects the accesspermissions that Amazon S3 is enforcing, rather than the actual ACL that isassociated with the bucket.
Block public access settings don't alter existing policies or ACLs.Therefore, removing a block public access setting causes a bucket or objectwith a public policy or ACL to again be publicly accessible.

Performingblock public access operations on an access point

To perform block public access operations on an access point, use the AWS CLI services3control.

Important

You can't change an access point's block public access settings after creating the access point.You can specify block public access settings for an access point only when creating theaccess point.

The meaning of"public"

ACLs

Amazon S3 considers a bucket or object ACL public if it grants anypermissions to members of the predefinedAllUsers orAuthenticatedUsers groups. For more informationabout predefined groups, see Amazon S3 predefinedgroups.

Bucket policies

When evaluating a bucket policy, Amazon S3 begins by assuming that the policy is public. Itthen evaluates the policy to determine whether it qualifies as non-public. To beconsidered non-public, a bucket policy must grant access only to fixed values(values that don't contain a wildcard oran AWS Identity and Access ManagementPolicy Variable) for one or more of the following:

An AWS principal, user, role, or service principal (e.g.aws:PrincipalOrgID)
A set of Classless Inter-Domain Routings (CIDR) blocks, usingaws:SourceIp.For more information about CIDR, seeRFC 4632 on the RFCEditor website.
Note
Bucket policies that grant access conditioned on theaws:SourceIp conditionkey with very broad IP ranges (for example, 0.0.0.0/1) are evaluated as"public." This includes values broader than/8 for IPv4 and/32 for IPv6 (excluding RFC1918 private ranges). Blockpublic access will reject these "public" policies and prevent cross-accountaccess to buckets that are already using these "public" policies.
aws:SourceArn
aws:SourceVpc
aws:SourceVpce
aws:SourceOwner
aws:SourceAccount
aws:userid, outside the pattern"AROLEID:*"
s3:DataAccessPointArn
Note
When used in a bucket policy, this value can contain a wildcard for the access point namewithout rendering the policy public, as long as the account ID is fixed. Forexample, allowing access toarn:aws:s3:us-west-2:123456789012:accesspoint/* wouldpermit access to any access point associated with account123456789012in Regionus-west-2, without rendering the bucket policypublic. This behavior is different for access point policies. For more information,see Access points.
s3:DataAccessPointAccount

For more information about bucket policies, seeBucket policies for Amazon S3.

Note

When using multivalued context keys, you must use theForAllValues orForAnyValue set operators.

Example : Public bucket policies

Under these rules, the following example policies are consideredpublic.


{"Principal": "*", "Resource": "*", "Action": "s3:PutObject", "Effect": "Allow" }


{"Principal": "*", "Resource": "*", "Action": "s3:PutObject", "Effect": "Allow", "Condition":{ "StringLike":{"aws:SourceVpc": "vpc-*"}}}

You can make these policies non-public by including any of thecondition keys listed previously, using a fixed value. For example,you can make the last policy preceding non-public by settingaws:SourceVpc to a fixed value, like thefollowing.


{"Principal": "*", "Resource": "*", "Action": "s3:PutObject", "Effect": "Allow", "Condition":{"StringEquals":{"aws:SourceVpc": "vpc-91237329"}}}

How Amazon S3 evaluates a bucketpolicy that contains both public and non-public access grants

This example shows how Amazon S3 evaluates a bucket policy that contains bothpublic and non-public access grants.

Suppose that a bucket has a policy that grants access to a set of fixedprincipals. Under the previously described rules, this policy isn't public.Thus, if you enable theRestrictPublicBuckets setting, the policyremains in effect as written, becauseRestrictPublicBuckets onlyapplies to buckets that have public policies. However, if you add a publicstatement to the policy,RestrictPublicBuckets takes effect on thebucket. It allows only AWS service principals and authorized users of thebucket owner's account to access the bucket.

As an example, suppose that a bucket owned by "Account-1" has a policy thatcontains the following:

A statement that grants access to AWS CloudTrail (which is an AWS serviceprincipal)
A statement that grants access to account "Account-2"
A statement that grants access to the public, for example byspecifying"Principal": "*" with no limitingCondition

This policy qualifies as public because of the third statement. With thispolicy in place andRestrictPublicBuckets enabled, Amazon S3 allowsaccess only by CloudTrail. Even though statement 2 isn't public, Amazon S3 disables accessby "Account-2." This is because statement 3 renders the entire policy public, soRestrictPublicBuckets applies. As a result, Amazon S3 disablescross-account access, even though the policy delegates access to a specificaccount, "Account-2." But if you remove statement 3 from the policy, then thepolicy doesn't qualify as public, andRestrictPublicBuckets nolonger applies. Thus, "Account-2" regains access to the bucket, even if youleaveRestrictPublicBuckets enabled.

Access points

Amazon S3 evaluates block public access settings slightly differently for access pointscompared to buckets. The rules that Amazon S3 applies to determine when an access point policy ispublic are generally the same for access points as for buckets, except in the followingsituations:

An access point that has a VPC network origin is always considered non-public,regardless of the contents of its access point policy.
An access point policy that grants access to a set of access points usings3:DataAccessPointArn is considered public. Note that thisbehavior is different than for bucket policies. For example, a bucket policythat grants access to values ofs3:DataAccessPointArn thatmatcharn:aws:s3:us-west-2:123456789012:accesspoint/* is notconsidered public. However, the same statement in an access point policy wouldrender the access point public.

Using IAM Access Analyzer for S3 to review publicbuckets

You can use IAM Access Analyzer for S3 to review buckets with bucket ACLs, bucket policies, or access pointpolicies that grant public access. IAM Access Analyzer for S3 alerts you to buckets that are configuredto allow access to anyone on the internet or other AWS accounts, includingAWS accounts outside of your organization. For each public or shared bucket, youreceive findings that report the source and level of public or shared access.

In IAM Access Analyzer for S3, you can block all public access to a bucket with asingle click. You can also drill down into bucket-level permission settings to configuregranular levels of access. For specific and verified use cases that require public orshared access, you can acknowledge and record your intent for the bucket to remainpublic or shared by archiving the findings for the bucket.

In rare cases, IAM Access Analyzer for S3 and Amazon S3 block public access evaluation might differ on whether abucket is public. This behavior occurs because Amazon S3 block public access performsvalidation on the existence of actions in addition to evaluating public access. Supposethat the bucket policy contains anAction statement that allows publicaccess for an action that isn't supported by Amazon S3 (for example,s3:NotASupportedAction). In this case, Amazon S3 block public accessevaluates the bucket as public because such a statement could potentially make thebucket public if the action later becomes supported. In cases where Amazon S3 block publicaccess and IAM Access Analyzer for S3 differ in their evaluations, we recommend reviewing the bucketpolicy and removing any unsupported actions.

For more information about IAM Access Analyzer for S3, see Reviewing bucket access using IAM Access Analyzer for S3.

Permissions

To use Amazon S3 Block Public Access features, you must have the followingpermissions.

Operation	Required permissions
`GET` bucket policy status	`s3:GetBucketPolicyStatus`
`GET` bucket Block Public Access settings	`s3:GetBucketPublicAccessBlock`
`PUT` bucket Block Public Access settings	`s3:PutBucketPublicAccessBlock`
`DELETE` bucket Block Public Access settings	`s3:PutBucketPublicAccessBlock`
`GET` account Block Public Access settings	`s3:GetAccountPublicAccessBlock`
`PUT` account Block Public Access settings	`s3:PutAccountPublicAccessBlock`
`DELETE` account Block Public Access settings	`s3:PutAccountPublicAccessBlock`
`PUT` access point Block Public Access settings	`s3:CreateAccessPoint`