How to Block Public Access to an Individual S3 Bucket

Publicly accessible S3 buckets could pose a security risk for your organization. In this guide, we'll show you how you can block public access at the bucket-level in AWS.

Patrick Londa
Author
Dec 8, 2022
 • 
5
 min read
Share this post

S3 buckets that are publicly accessible could pose a security risk. To address this, you can restrict access to S3 buckets by either blocking public access at the account-level or at the bucket level.

If you do not have public access blocked at the account level, but want to block public access for a specific S3 bucket, you will need to update the bucket settings.

In this guide, we’ll explain how to block public access from individual S3 buckets to fortify your security.

Blink Automation: Ensure Public Access is Blocked for S3 Buckets
Blink + AWS
Try This Automation

Blocking Public Access for an Existing S3 Bucket

You can update the access setting for an existing S3 bucket using either the AWS Console or the AWS CLI.

Using the AWS Console:

  1. First, sign in to the Amazon S3 Console.
  2. From the Bucket name list, select the bucket that you want to update.
  3. Click the Permissions tab and click Edit.
s3 bucket policy options in aws
Source: How to never have a public S3 bucket by Teri Radichel
  1. You can either select to Block all public access, or specify a subset of the access settings. Click Save.

Using the AWS CLI:

  1. First, you can check the current access-level for your S3 bucket with the following command:
aws s3api get-bucket-policy-status
--bucket <value>

Here’s an example:

aws s3api get-bucket-policy-status \
    --bucket my-bucket

You’ll see an output like this:

{
    "PolicyStatus": {
        "IsPublic": false
    }
}
  1. If you see that the S3 bucket is public, then you can block public access with the following command:
aws s3api put-public-access-block
--bucket <value>
  1. If you want to specify public access settings, you can do that with the --public-access-block-configuration flag. Here’s an example:
aws s3api put-public-access-block \
    --bucket my-bucket \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Now you’ve successfully blocked public access for a specific S3 bucket. If you want to block public access for all S3 buckets, you can edit the access settings at the account-level.

Creating a New S3 Bucket with No Public Access

Using the AWS Console:

When you are creating a new S3 bucket in the AWS Console, you will see a section called Bucket settings for Block Public Access. You can enable all the settings to block public access, which is recommended unless you are using the bucket to host a public website. 

Using the AWS CLI:

When you use the CLI to create a new S3 bucket, you can ensure that the bucket doesn’t allow for public access by including the --acl flag and specifying private:

aws s3api create-bucket \
    --bucket my-bucket \
    --region us-east-1 \
    --acl private

 By setting the ACL (Access Control List) to private, you are configuring the bucket to not be publicly accessible.

Blocking Public Access of a S3 Bucket with Blink Copilot

You need to be careful if you have publicly accessible S3 buckets, since it can pose a security risk. You can check individual buckets or alter account settings, but either way, running periodic checks to ensure that you have minimal access settings is a good practice.

With Blink, you can use this pre-built automation in the Blink Library to check for any publicly accessible S3 buckets and send a report with non-compliant buckets via email.

You can also generate an automated workflow for this task by typing a prompt into Blink Copilot.

 

When you run this automation, it executes the following steps:

  1. Checks whether any S3 buckets do not have public access blocked.
  2. Creates a Jira ticket with the exposed bucket's details.
  3. Sends a notification to the DevOps Slack channel.

If you want to add an approval step to directly make the S3 bucket private, or change the notification step, just change the prompt to describe your needs.

You can try typing your own prompts here with Blink Copilot.

Get started with Blink today and see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo