What happens when I turn on or turn off the Amazon S3 Block Public Access setting?

6 minute read
0

I want to know how turning the Amazon Simple Storage Service (Amazon S3) Block Public Access setting on or off affects the Amazon S3 operations.

Resolution

Available settings

Amazon S3 Block Public Access settings have different levels of restrictions that you can apply through four configurable options:

  • Block public access that's granted through new access control lists (ACLs): Amazon S3 blocks public access permissions that you apply to newly added buckets or objects. S3 also prevents the creation of new public access ACLs for existing buckets and objects. This setting doesn't change existing permissions that allow public access to S3 resources using ACLs.
  • Block public access that's granted through any ACL: S3 ignores all ACLs that grant public access to buckets and objects.
  • Block public access that's granted through new public bucket or access point policies: S3 blocks new bucket and access point policies that grant public access to buckets and objects. This setting doesn't change existing policies that allow public access to S3 resources.
  • Block public and cross-account access that's granted through public bucket or access point policies: S3 ignores public and cross-account access for buckets or access points with policies that grant public access to buckets and objects.

The first and third options are intended to prevent new updates to S3 bucket policies or object ACLs that grant public access. These settings don't change existing policies or ACLs that currently grant public access.

The second and fourth options are intended to prevent and ignore new and existing bucket policies or object ACLs that grant public access. 

For more information, see Block public access settings.

Turning on or off S3 Block Public Access settings

Note: As of April 2023, all newly-created S3 buckets have S3 Block Public Access turned on by default.

You can turn on this setting at the account level, bucket level, or both.

After your turn on block public settings for a bucket, the following happens:

  • Anonymous and unauthenticated requests are denied with no exceptions. S3 URIs and URLs that are accessed using a web browser return HTTP 403 Access Denied errors with the corresponding request ID.
  • Any public ACL that's applied to S3 objects are ignored, resulting in revoked access for users that rely on this ACL for object access.

After your turn off block public settings for a bucket, the following happens:

  • An object with public bucket policy or public ACL access is now accessible to anyone on the internet with a link to the object's path. This includes web trawlers and unauthorized users.
  • You might incur increased costs that are associated with S3 requests, such as LIST or GET. An anonymous request that's made against the public bucket or object is charged to the bucket owner.
  • Applicable AWS Config rules and AWS Identity and Access Management (IAM) Access Analyzer for S3 generate warnings about your bucket's public status. To be compliant with these rules, you must turn on block public access settings.

When you turn off the block public access setting, your S3 bucket's Access column shows one of the following on the console:

  • Objects can be public: The bucket isn't public, but anyone with the appropriate permissions can grant public access to objects.
  • Buckets and objects not public: The bucket and objects don't have public access.
  • Only authorized users of this account: Access is isolated to IAM account users and roles and AWS service principals because there is a policy that grants public access.
  • Public: Everyone has access to one or more list objects, write objects, and read and write permissions.

Required Permissions

To turn on or turn off S3 Block Public Access settings, your IAM role or user must have the following S3 permissions:

  • Account level: s3:PutAccountPublicAccessBlock
  • Bucket level: s3:PutBucketPublicAccessBlock 

To view your current S3 Block Public Access settings, your IAM role or user must have the following S3 permissions:

  • Account level: s3:GetAccountPublicAccessBlock
  • Bucket level: s3:GetBucketPublicAccessBlock

For more information, see Permissions.

Troubleshooting errors

You might get an Access Denied error when you try to turn on or turn off the Block Public Access settings on your S3 bucket. To troubleshoot this error, try the following:

  • Verify that service control policies don't include organizational policies that prevent modifying the S3 Block Public Access settings at either account or bucket level. Check Deny statements for s3:PutBucketPublicAccessBlock and s3:PutAccountPublicAccessBlock actions.
  • Verify that the IAM user or role has the required permissions for the resources.
  • Verify that the S3 bucket where you want to modify the settings doesn't have an existing public S3 bucket policy (any bucket policy statements with Principal: "*").

Identifying the user

To identify which IAM entity modified this setting on your bucket or account, use AWS CloudTrail events. You can filter these events for the following EventNames in your CloudTrail console:

  • For account level, look for PutAccountPublicAccessBlock.
  • For bucket level, look for PutBucketPublicAccessBlock.

To identify the caller ARN, check against the UserIdentity field in the log:

 "userIdentity": {  
 "type": "AssumedRole",  
 "principalId": "[AccountID]:[RoleName]",  
 "arn": "arn:aws:sts::[AccountID]:assumed-role/[RoleName]/[RoleSession]",

Then, verify the S3 bucket resource that you want to check:

"requestParameters": {  
 "publicAccessBlock": "",  
 "bucketName": "[BucketName]"

Other considerations

  • Bucket policies that grant access on the aws:SourceIp condition key with broad IP address ranges (for example, 0.0.0.0/1) are evaluated as public.
  • You can use IAM Access Analyzer for S3 to review buckets with bucket ACLs, bucket policies, or access point policies that grant public access. 
  • If your bucket shows Error against its Access column in your S3 console, then your IAM role or user lacks sufficient permissions to list your buckets and their public access settings. Make sure to add the following permissions to your user or role policy:
s3:GetAccountPublicAccessBlock
s3:GetBucketPublicAccessBlock
s3:GetBucketPolicyStatus
s3:GetBucketLocation
s3:GetBucketAcl
s3:ListAccessPoints
s3:ListAllMyBuckets
  • Amazon S3 doesn't support Block Public Access settings on a per-object basis.
  • When you apply block public access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.
AWS OFFICIAL
AWS OFFICIALUpdated a year ago