# Amazon S3 Block Public Access

Using Amazon S3, you can block public access to all of your objects either at the bucket level or the account level, for existing and all subsequent buckets. This feature secures your data from unauthorized or unintentional access by users outside of your AWS account.

What does it mean to be privately or publicly accessible?  To answer some frequently asked questions about Block Public Access, choose the plus symbol (+) next to each question.

### What does private access mean?

Private access means that unless you share the bucket and objects with someone from outside of your account, only the principals in your AWS account can access the objects in your S3 buckets. S3 Block Public Access provides controls across an entire AWS account or at the individual S3 bucket level. Implementing Block Public Access ensures that objects are not publicly accessible now or in the future.

### What does public access mean?

Amazon S3 considers a bucket or object public if it grants any permissions to members of the following groups: 



- **AuthenticatedUsers**  – This group allows all AWS accounts to access the resource. This means any authenticated AWS user, from any AWS account in the world, can access your resource so long as the request is signed (authenticated). 
- **AllUsers** – This group allows anyone in the world access to the resource. The requests can be signed (authenticated) or unsigned (anonymous). 

### Is Block Public Access on by default?

For new buckets, access points, and objects, Block Public Access is enabled by default. When this feature is enabled, even if a user modifies an object's permissions to allow public access, the

S3 Block Public Access setting overrides the modified permissions and continues to restrict public access to the object.

### Why don't I want my objects made public?

Few use cases would require a bucket to be made public. Buckets and objects that are public can be accessed by anyone on the internet. Most businesses do not want their intellectual property, business documentation, or customer data made available to the public. Therefore, Block Public Access is built into the Amazon S3 security by default.

### Can I enable public access on only some objects or buckets?

Yes. You can grant public access to buckets and objects through access control lists (ACLs), access point policies, and bucket policies. By doing this, you can have some buckets or objects available for public consumption, while others can be secured for private access or locked down for access only to a particular service or set of users.

### Can I enable Block Public Access on a single object?

Amazon S3 doesn't support Block Public Access settings on a per-object basis. You can enable Block Public Access settings only for access points, buckets, and AWS accounts.

## How it works

When Amazon S3 receives a request to access a bucket or an object, it determines whether the bucket or the bucket owner's account has a Block Public Access setting applied. If the request was made through an access point, Amazon S3 also checks for Block Public Access settings for the access point. If there is an existing Block Public Access setting that prohibits the requested access, Amazon S3 rejects the request.

![image.png](attachment:image.png)

## Block Public Access settings

Amazon S3 Block Public Access provides four settings. These settings are independent and can be used in any combination. If the Block Public Access settings for the access point, bucket, or account differ, then Amazon S3 applies the most restrictive combination of settings. When Amazon S3 evaluates whether an operation is prohibited by a block public access setting, it rejects any request that violates an access point, bucket, or account setting. 

The following image shows the available Block Public Access options. When you enable the primary option, you enable all four of the subordinate options. Any new bucket has Block All Public Access enabled by default. If you want to allow public access to a bucket or objects, you must disable Block Public Access for the account. 

![image.png](attachment:image.png)

You can review each of the following Block Public Access options, which are enabled at the account level or the bucket level. The Block Public Access settings at the account level override any settings on the individual buckets.

## Block Public Access granted through new ACLs

This option prevents you from creating any new ACL, either for a bucket or object, that grants public access permissions. This option affects only the creation of new public ACLs. It does not alter any existing ACLs or policies. Any existing ACLs or policies granting public access permissions will not be affected and public access to those resources will remain intact.



After you enable this option, review your ACLs to evaluate any existing public access permissions and assess whether those permissions should stay the same.



Remember, with this option enabled, if you have any bucket policies or existing ACLs granting public access to buckets and objects, those resources will remain publicly accessible. If you want to block all public access to buckets and objects, choose the block all public access option.

## Block public access granted through any ACLs

This option affects only how ACL public permissions are evaluated. When you enable this option, any existing ACLs that grant public permission on buckets and objects are ignored. This setting does not alter existing ACLs themselves. However, any resources configured with existing public ACLs will no longer be publicly accessible. 



You are not prevented from creating new ACLs that would normally grant public access. You can still create them, but those ACLs are ignored and thus the bucket or objects are still not publicly accessible. 



Take the time to review your ACLs after this option is enabled and remove any public ACLs to prevent any possible future mistakes. If the block public access granted through any ACLs option is later disabled, any existing public ACLs will be in effect.



Remember, with this option enabled, if you have any bucket policies granting public access to buckets and objects, those buckets or objects will remain publicly accessible. If you want to block all public access to buckets and objects, choose the block all public access option.

## Block public access granted through new public bucket policies

This option prevents only the creation of new bucket policies that grant public access. Any existing bucket policies are not affected. If you currently have any bucket policies configured that grant public access, those buckets or objects remain publicly accessible. 



To use this setting effectively, you should apply it at the AWS account level. A bucket policy can allow users to alter a bucket's Block Public Access settings. Therefore, users who have permission to change a bucket policy could insert a policy that allows them to disable the Block Public Access settings for the bucket. If this setting is enabled for the entire account, instead of a specific bucket, Amazon S3 blocks public policies even if a user alters the bucket policy to disable this setting. 



Remember, with this option enabled, if you have any existing bucket policies or ACLs granting public access to buckets and objects, those buckets or objects will remain publicly accessible. If you want to block all public access to buckets and objects, choose the block all public access option.

## Block public and cross-account access granted through any public bucket policies

This option affects only how bucket policy permissions are evaluated. When you enable this option, any buckets or objects that have public permissions granted through bucket policies are ignored. This option, when enabled, restricts access to a bucket with a public policy to only AWS services and authorized users within the bucket owner's account. This setting blocks all cross-account access to the bucket with a public policy (except by AWS services), while still allowing users within the account to manage the bucket. 



This does not alter existing bucket policies. However, any existing bucket policies that grant public access are ignored, blocking public access and any cross-account access configurations. 



Remember, with this option enabled, if you have any ACLs granting public access to buckets and objects, those buckets or objects will remain publicly accessible. If you want to block all public access to buckets and objects, choose the block all public access option.


## Using Access Analyzer for S3 

Access Analyzer for S3 alerts you when S3 buckets are publicly accessible or that are accessible to other AWS accounts, including AWS accounts outside of your organization. For each public or shared bucket, you receive findings into the source and level of public or shared access. For example, Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket ACL, a bucket policy, or an access point policy. 

If Access Analyzer for S3 identifies public buckets, you receive a warning at the top of the page that shows the number of public buckets in your Region. You can download your bucket findings as a CSV report that you can use for auditing purposes. Equipped with this knowledge, you can take immediate and precise corrective action to restore your bucket access to what you intended. 