SCP to enable "Block S3 Public Access"

Question

Dear Team - Can anyone help me on best way to implement SCP to block the S3 public read access. It should not impact the existing one and only deny when someone trying to create the new bucket and add Policy/ACL for public access. I tried below but still users are able to create new bucket and can apply s3 policy for public read access.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock" ], "Resource": "*", "Effect": "Deny" } ] }

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutAccountPublicAccessBlock"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Accepted Answer

Hi, this SCP works for me: (you need an additional `s3:PutBucketPublicAccessBlock`)

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutBucketPublicAccessBlock",
        "s3:PutAccountPublicAccessBlock"
      ],
      "Resource": "*",
      "Effect": "Deny"
    }
  ]
}
```

Also note that SCP doesn't apply to the Organization's management account. You can only restrict bucket public access for member accounts.

Answer

> Just to confirm, this will not impact the existing public accessible S3 bucket and only apply to new bucket, right ?

Right. It will not affect the existing bucket.

In my case, `229660767790-public` and `229660767790-private` are existing buckets before the SCP was applied, and `229660767790-public2` is the new bucket after the SCP was applied.

I failed to make `229660767790-public2` public, but `229660767790-public` is still public.

![Enter image description here](/media/postImages/original/IMJUduOsWXT4Sriju3W_ZPJA)

Nevertheless, you should test this policy yourself before applying to the production.

SCP to enable "Block S3 Public Access"

Relevant content