I enabled public access on my bucket's ACL using the Amazon S3 console. Is my bucket open to everyone?

Last updated: 2021-12-10

I used the Amazon Simple Storage Service (Amazon S3) console to update my bucket's access control list (ACL) to allow public access. Can anyone access my bucket?

Resolution

Even if you enable all available ACL options in the Amazon S3 console, the ACL alone won't allow everyone to download objects from your bucket. However, depending on which option you select, any user could perform these actions:

  • If you select List objects for the Everyone group, then anyone can get a list of objects that are in the bucket.
  • If you select Write objects, then anyone can upload, overwrite, or delete objects that are in the bucket.
  • If you select Read bucket permissions, then anyone can view the bucket's ACL.
  • If you select Write bucket permissions, then anyone can change the bucket's ACL.

For more information, see What permissions can I grant?

To prevent any accidental change to public access on a bucket's ACL, you can configure public access settings for the bucket. If you select Block new public ACLs and uploading public objects, then users can't add new public ACLs or upload public objects to the bucket. If you select Remove public access granted through public ACLs, then all existing or new public access granted by ACLs is respectively overridden or denied.

Important: Granting cross-account access through bucket and object ACLs doesn't work for buckets that have S3 Object Ownership set to Bucket Owner Enforced. In most cases, ACLs aren't required to grant permissions to objects and buckets. Instead, use AWS Identity Access and Management (IAM) policies and S3 bucket policies to grant permissions to objects and buckets.


Did this article help?


Do you need billing or technical support?