How to block S3 public access

Topic: Cloud aws core

Keep S3 buckets private by enabling Block Public Access at the account and bucket level. Prevents accidental public read or write from bucket policy or ACLs. Use this when creating or auditing S3 buckets so data is not exposed to the internet.

Intent: How-to

Quick answer

  • Block Public Access has four settings: block public ACLs, ignore public ACLs, block public bucket policy, block public and cross-account access via public bucket policy. Enable all four at the bucket (and optionally account) level.
  • Account level: S3 console -> Block Public Access settings for this account. New buckets inherit; existing buckets are not changed until you apply to each. Use for defense in depth.
  • If you need public read (e.g. static website), use a bucket policy that grants public GetObject only for a specific prefix; keep Block Public Access on and use the policy override where allowed. Prefer CloudFront with OAI instead of public bucket.

Prerequisites

Steps

  1. Enable at bucket level

    S3 -> bucket -> Permissions -> Block Public Access -> Edit; check all four options; save. This blocks new public ACLs and prevents public bucket policies from granting public access.

  2. Enable at account level

    S3 -> Block Public Access settings for this account -> Edit; enable all four. Applies to new buckets by default; review existing buckets and apply block to each if needed.

  3. Allow controlled public read (if needed)

    For static hosting or public read, you may add a bucket policy that allows public GetObject; Block Public Access can still block other forms. Prefer CloudFront with Origin Access Identity so the bucket is not public.

  4. Audit

    Use S3 console or aws s3api list-buckets and get-public-access-block; ensure all buckets have Block Public Access on. Use Config or a script to alert if a bucket is made public.

Summary

Enable all four Block Public Access settings at bucket and account level so S3 is private by default. Use bucket policy or CloudFront only when you need controlled public read. Use this to prevent accidental S3 exposure.

Prerequisites

Steps

Step 1: Enable at bucket level

Turn on all four Block Public Access options for each bucket.

Step 2: Enable at account level

Enable Block Public Access for the account so new buckets are protected by default.

Step 3: Allow controlled public read (if needed)

Use bucket policy or CloudFront with OAI for limited public read; avoid opening the bucket to 0.0.0.0/0 unless required.

Step 4: Audit

Confirm all buckets have Block Public Access; use automation to detect changes.

Verification

Block Public Access is on for account and buckets; no bucket is publicly writable; public read only where intended and documented.

Troubleshooting

Need public read — Use CloudFront with OAI and keep bucket private; or minimal bucket policy with GetObject only for a prefix. Policy not working — Block Public Access may override; check which setting blocks and adjust policy or use CloudFront.

Next steps

Continue to