Amazon S3 Block Public Access

S3 Block Public Access provides controls across an entire AWS Account or AWS Organization or at the individual S3 bucket level to ensure that objects never have public access, now and in the future.

Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. In order to ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access at the account level or organization level. These settings apply account-wide for all current and future buckets. For organizations managing multiple AWS accounts, organization-level policies automatically propagate to all member accounts and new member accounts inherit the policy automatically.

AWS recommends that you turn on Block all public access, but before applying any of these settings, ensure that your applications will work correctly without public access. If you require some level of public access to your buckets or objects, you can customize the individual settings below to suit your specific storage use cases or work with your organization administrator to configure appropriate policy attachment strategies.

All new buckets have Block Public Access enabled by default. If you want to restrict access to all existing buckets in your account, you can enable Block Public Access at the account level. If you manage multiple AWS accounts, you can enable Block Public Access at the organization level using AWS Organizations Policies to centrally control settings across all member accounts. S3 Block Public Access settings override S3 permissions that allow public access, making it easy for the account administrator or organization administrator to set up a centralized control to prevent variation in security configuration regardless of how an object is added or a bucket is created.

If an object is written to an AWS Account or S3 bucket with S3 Block Public Access enabled, and that object specifies any type of public permissions via ACL or policy, those public permissions are blocked. When organization-level policies are in effect, S3 takes the most restrictive policy between bucket-level, account-level, and organization-level settings.

In addition to the S3 console, you can enable S3 Block Public Access via the AWS CLI, SDKs, or REST APIs. Organization-level Block Public Access can be configured through the AWS Organizations console, CLI, or APIs. Detailed instructions for either option are available in the S3 Block Public Access documentation and AWS Organizations User Guide. Remember that you can always check for public buckets in the S3 Console (we flag buckets with objects containing public permissions prominently there), and you can also use AWS Trusted Advisor’s S3 Bucket Permissions Check to notify you of any open buckets at no cost to you. You can use AWS CloudTrail to audit organization-level policy attachment and enforcement actions across member accounts.

Organization-level S3 Block Public Access is available in the AWS Organizations console as well as AWS CLI/SDK, in all AWS Regions where AWS Organizations and Amazon S3 are supported, with no additional charges.

Take the 15-minute Amazon S3 Block Public Access online-training course to block public access to your S3 account or buckets.