S3: is public access possible when Block all public access is on and object ownership is bucket owner enforced

Question

Hi:

I created a directory bucket in S3 and put some objects in it with the intention of making those objects publicly accessible after I had uploaded them to the bucket.

Turns out that when I set up the bucket, I chose the "block all public access" setting, and set the bucket up so that object ownership is "Bucket owner enforced".

Reading the docs to find out how to change these settings has left me totally confused.  I have the vague impression that that given my initial choices is setting up the bucket, it is now impossible for me to change settings in a way that would make the objects in the bucket public, and thus my only option is to destroy the bucket and start over. Is that correct?

If not, please tell me how how to make the objects in my bucket public.

Malini Agrawal · Accepted Answer

hi,

you are right looks like directory bucket can't be public  "Directory buckets have all S3 Block Public Access settings enabled by default"

this is AWS Doc says for Directory Buckets.

"Directory buckets have all S3 Block Public Access settings enabled by default at the bucket level. S3 Object Ownership is set to bucket owner enforced and access control lists (ACLs) are disabled. These settings can't be modified."

[https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html]()

Best,

re:Post Agent · Answer

You can still make your objects publicly accessible even after initially setting up your bucket with "Block all public access" enabled and "Bucket owner enforced" object ownership. You don't need to destroy the bucket and start over.

Here's how to make your objects publicly accessible:

1. First, you need to modify the Block Public Access settings for your bucket:
- Go to the S3 console and navigate to your bucket
- Click on the "Permissions" tab
- Find the "Block public access" section and click "Edit"
- Uncheck "Block all public access" (you may need to uncheck all four individual settings)
- Save the changes

2. After disabling Block Public Access, you can make your objects public by either:

Option A: Adding a bucket policy that grants public read access:
- In the "Permissions" tab, go to "Bucket policy"
- Add a policy similar to this (replace YOUR_BUCKET_NAME with your actual bucket name):
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
}
]
}
```

Note that even with "Bucket owner enforced" object ownership (which disables ACLs), you can still make objects public using bucket policies. The bucket policy approach is actually the recommended way to grant public access rather than using ACLs.

Remember that making S3 objects public is not recommended for most use cases due to security concerns. Consider if there are alternative approaches that might better suit your needs, such as using pre-signed URLs for temporary access.  
**Sources**  
[Setting permissions for website access - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html)  
[Is my bucket publicly accessible? | AWS re:Post](https://repost.aws/questions/QU6_NWZZWWQTG2VkJUIUT3xQ/is-my-bucket-publicly-accessible)  
[How to make bucket or objects public? | AWS re:Post](https://repost.aws/questions/QUeeLN0TO9Q1WvxoJCGIO0fA/how-to-make-bucket-or-objects-public)  
[Access control in Amazon S3 - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html)  
[Blocking public access to your Amazon S3 storage - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)

S3: is public access possible when Block all public access is on and object ownership is bucket owner enforced

Add your answer

Relevant content