How to Block Public Access to an Individual S3 Bucket

Patrick Londa
December 8, 2022

S3 buckets that are publicly accessible could pose a security risk. To address this, you can restrict access to S3 buckets by either blocking public access at the account-level or at the bucket level.

If you do not have public access blocked at the account level, but want to block public access for a specific S3 bucket, you will need to update the bucket settings.

In this guide, we’ll explain how to block public access from individual S3 buckets to fortify your security.

Blink Automation: Block Public Access to an S3 Bucket with Slack Confirmation
AWS + Slack
Try This Automation

Blocking Public Access for an Existing S3 Bucket

You can update the access setting for an existing S3 bucket using either the AWS Console or the AWS CLI.

Using the AWS Console:

  1. First, sign in to the Amazon S3 Console.
  2. From the Bucket name list, select the bucket that you want to update.
  3. Click the Permissions tab and click Edit.
s3 bucket policy options in aws
Source: How to never have a public S3 bucket by Teri Radichel
  1. You can either select to Block all public access, or specify a subset of the access settings. Click Save.

Using the AWS CLI:

  1. First, you can check the current access-level for your S3 bucket with the following command:
aws s3api get-bucket-policy-status
--bucket <value>

Here’s an example:

aws s3api get-bucket-policy-status \
    --bucket my-bucket

You’ll see an output like this:

{
    "PolicyStatus": {
        "IsPublic": false
    }
}
  1. If you see that the S3 bucket is public, then you can block public access with the following command:
aws s3api put-public-access-block
--bucket <value>
  1. If you want to specify public access settings, you can do that with the --public-access-block-configuration flag. Here’s an example:
aws s3api put-public-access-block \
    --bucket my-bucket \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Now you’ve successfully blocked public access for a specific S3 bucket. If you want to block public access for all S3 buckets, you can edit the access settings at the account-level.

Creating a New S3 Bucket with No Public Access

Using the AWS Console:

When you are creating a new S3 bucket in the AWS Console, you will see a section called Bucket settings for Block Public Access. You can enable all the settings to block public access, which is recommended unless you are using the bucket to host a public website. 

Using the AWS CLI:

When you use the CLI to create a new S3 bucket, you can ensure that the bucket doesn’t allow for public access by including the --acl flag and specifying private:

aws s3api create-bucket \
    --bucket my-bucket \
    --region us-east-1 \
    --acl private

 By setting the ACL (Access Control List) to private, you are configuring the bucket to not be publicly accessible.

Blocking Public Access of a S3 Bucket with Blink

You need to be careful if you have publicly accessible S3 buckets, since it can pose a security risk. You can check individual buckets or alter account settings, but either way, running periodic checks to ensure that you have minimal access settings is a good practice.

With Blink, you can use no-code automations to check for any publicly accessible S3 buckets, send Slack notifications to their owners, and take action to block public access.

Create your free Blink account and secure your S3 buckets today.

Simplify your cloud operations Sign up for Blink today

Transform your cloud operations today with a library of purpose-built DevOps and SecOps playbooks and hundreds of integrations.

Sign Up
Back to Blog

How to Block Public Access to an Individual S3 Bucket

Publicly accessible S3 buckets could pose a security risk for your organization. In this guide, we'll show you how you can block public access at the bucket-level in AWS.

aws-logo

S3 buckets that are publicly accessible could pose a security risk. To address this, you can restrict access to S3 buckets by either blocking public access at the account-level or at the bucket level.

If you do not have public access blocked at the account level, but want to block public access for a specific S3 bucket, you will need to update the bucket settings.

In this guide, we’ll explain how to block public access from individual S3 buckets to fortify your security.

Blink Automation: Block Public Access to an S3 Bucket with Slack Confirmation
AWS + Slack
Try This Automation

Blocking Public Access for an Existing S3 Bucket

You can update the access setting for an existing S3 bucket using either the AWS Console or the AWS CLI.

Using the AWS Console:

  1. First, sign in to the Amazon S3 Console.
  2. From the Bucket name list, select the bucket that you want to update.
  3. Click the Permissions tab and click Edit.
s3 bucket policy options in aws
Source: How to never have a public S3 bucket by Teri Radichel
  1. You can either select to Block all public access, or specify a subset of the access settings. Click Save.

Using the AWS CLI:

  1. First, you can check the current access-level for your S3 bucket with the following command:
aws s3api get-bucket-policy-status
--bucket <value>

Here’s an example:

aws s3api get-bucket-policy-status \
    --bucket my-bucket

You’ll see an output like this:

{
    "PolicyStatus": {
        "IsPublic": false
    }
}
  1. If you see that the S3 bucket is public, then you can block public access with the following command:
aws s3api put-public-access-block
--bucket <value>
  1. If you want to specify public access settings, you can do that with the --public-access-block-configuration flag. Here’s an example:
aws s3api put-public-access-block \
    --bucket my-bucket \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Now you’ve successfully blocked public access for a specific S3 bucket. If you want to block public access for all S3 buckets, you can edit the access settings at the account-level.

Creating a New S3 Bucket with No Public Access

Using the AWS Console:

When you are creating a new S3 bucket in the AWS Console, you will see a section called Bucket settings for Block Public Access. You can enable all the settings to block public access, which is recommended unless you are using the bucket to host a public website. 

Using the AWS CLI:

When you use the CLI to create a new S3 bucket, you can ensure that the bucket doesn’t allow for public access by including the --acl flag and specifying private:

aws s3api create-bucket \
    --bucket my-bucket \
    --region us-east-1 \
    --acl private

 By setting the ACL (Access Control List) to private, you are configuring the bucket to not be publicly accessible.

Blocking Public Access of a S3 Bucket with Blink

You need to be careful if you have publicly accessible S3 buckets, since it can pose a security risk. You can check individual buckets or alter account settings, but either way, running periodic checks to ensure that you have minimal access settings is a good practice.

With Blink, you can use no-code automations to check for any publicly accessible S3 buckets, send Slack notifications to their owners, and take action to block public access.

Create your free Blink account and secure your S3 buckets today.

Simplify your cloud operations

Sign up for Blink today

Transform your cloud operations today with a library of purpose-built DevOps and SecOps playbooks and hundreds of integrations.

Sign up