- Newest
- Most votes
- Most comments
You should keep all the Block Public Access (BPA) protections enabled. When specified AWS account IDs or another specific subset of identities is granted access, it isn't "public" in the context of AWS access policies. Public access refers to access that is granted to everyone or nearly everyone in the world.
Could you share the policies you've configured? You should redact your exact bucket name and replace account IDs with all zeroes or all ones, for example, but include the non-sensitive parts of the policies.
In typical situations, if your S3 bucket is using the default encryption option of SSE-S3 and the object ownership setting is set to "object owner enforced", you'll need to grant the following permissions in both the policies attached to the IAM role/user in account A and the bucket policy in account B:
- to the bucket ARN (such as
arn:aws:s3:::my-bucket-name
)s3:GetBucketLocation
s3:ListBucket
- to object ARNs (such as
arn:aws:s3:::my-bucket-name/*
, with the/*
at the end)s3:GetObject
for read accesss3:PutObject
for write accesss3:DeleteObject
to delete objects- sometimes additionally
s3:GetObjectVersion
for reading specific object versionss3:PutObjectAcl
for uploading objects and specifying old-fashioned ACL-based permissions for the object
Relevant content
- Accepted Answerasked 4 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a month ago