How do I use the Amazon S3 Block Public Access feature to manage public access to Amazon S3 resources?

Resolution

You can configure Amazon S3 Block Public Access settings for different levels of access.

Add the required permissions

To change the S3 Block Public Access settings, make sure that your AWS Identity and Access Management (IAM) user or role has the following permissions:

• s3:PutAccountPublicAccessBlock
• s3:PutBucketPublicAccessBlock

To view your current S3 Block Public Access settings, make sure that your IAM user or role has the following permissions:

• s3:GetAccountPublicAccessBlock
• s3:GetBucketPublicAccessBlock

For more information, see Permissions.

Activate or deactivate S3 Block Public Access

Note: As of April 2023, Amazon S3 automatically activates S3 Block Public Access for all buckets that you create.

You can configure S3 Block Public Access settings at the account level, bucket level, or both.

Activate S3 Block Public Access

After your activate S3 Block Public Access, Amazon S3 takes the following actions:

• Denies anonymous and unauthenticated requests with no exceptions. Amazon S3 URIs and URLs that use a web browser or curl for access receive an "HTTP 403 Access Denied" error.
• Ignores new public ACLs that you apply to Amazon S3 objects and revokes user access to the S3 bucket and objects.

Deactivate S3 Block Public Access

If you deactivate S3 Block Public Access, then Amazon S3 allows access to an object with a public bucket policy or public ACL. You might incur costs for Amazon S3 requests, such as LIST or GET. AWS charges you for anonymous requests that someone makes against the public bucket or object. AWS Config rules and IAM Access Analyzer for S3 generate warnings about your bucket's public status.

When you deactivate S3 Block Public Access, your Amazon S3 console shows access settings on the External access summary pane.

Troubleshoot "Access Denied" and S3 bucket errors

You might get an "Access Denied" error when you try to activate or deactivate S3 Block Public Access on your S3 bucket.

To troubleshoot this issue, take the following actions:

• Verify that AWS Organizations service control policies (SCPs) don't prevent modifications to S3 Block Public Access at the account or bucket level. Check Deny statements for s3:PutBucketPublicAccessBlock and s3:PutAccountPublicAccessBlock actions.
• If your bucket shows Error in its Access column, then add the following permissions to list buckets and public access settings to your IAM policy:
  s3:GetAccountPublicAccessBlock
  s3:GetBucketPublicAccessBlock
  s3:GetBucketPolicyStatus
  s3:GetBucketLocation
  s3:GetBucketAcl
  s3:ListAccessPoints
  s3:ListAllMyBuckets

Identify the IAM user or role that modified S3 Block Public Access

Check your AWS CloudTrail Event history to identify events for the following EventNames:

• For account level, check for PutAccountPublicAccessBlock.
• For bucket level, check for PutBucketPublicAccessBlock.

To identify the caller's Amazon Resource Name (ARN), check the UserIdentity field in the log. Example log:

 "userIdentity": {  
 "type": "AssumedRole",  
 "principalId": "[AccountID]:[RoleName]",  
 "arn": "arn:aws:sts::[AccountID]:assumed-role/[RoleName]/[RoleSession]",

Then, check bucketName to identify the modified S3 bucket. Example log:

"requestParameters": {  
 "publicAccessBlock": "",  
 "bucketName": "[BucketName]"