Categories
Uncategorised

Block public access (Bucket settings) – AWS S3

To be honest, the explanation on this area is “interesting”. I can read and understand every single word and they are English. But I just cannot understand how this thing works…

So I found a slightly better explanation for it. By the way, please keep in mind that “Block Public Access” is a shield that is helping you set up the access policy.

A few examples…

  • Block public access to buckets and objects granted through new access control lists (ACLs): Imagine that you have a bucket that contains your company’s financial data. You want to make sure that only authorized users can access the data, so you enable the “Block public access to buckets and objects granted through new access control lists (ACLs)” option. This will prevent anyone from accidentally granting public access to the data through a new ACL.
  • Block public access to buckets and objects granted through any access control lists (ACLs): Imagine that you have a bucket that contains your company’s trade secrets. You want to make sure that the data is completely inaccessible to unauthorized users, so you enable the “Block public access to buckets and objects granted through any access control lists (ACLs)” option. This will block public access through all ACLs, including existing ACLs that allow public access.
  • Block public access to buckets and objects granted through new public bucket or access point policies: Imagine that you have a bucket that contains your company’s customer data. You want to make sure that the data is only accessible to authorized users, so you enable the “Block public access to buckets and objects granted through new public bucket or access point policies” option. This will prevent anyone from accidentally granting public access to the data through a new bucket or access point policy.
  • Block public and cross-account access to buckets and objects through any public bucket or access point policies: Imagine that you have a bucket that contains your company’s intellectual property. You want to make sure that the data is completely inaccessible to unauthorized users, including users from other AWS accounts, so you enable the “Block public and cross-account access to buckets and objects through any public bucket or access point policies” option. This will block public access through all bucket and access point policies, and it will also block cross-account access.

Block public access (bucket settings)

You can use the Block all public access setting to prevent anyone from accessing your S3 bucket or object. This is a good security practice, as it helps to protect your data from unauthorized access.

Keywords:
  • Public access: This means that anyone can access your S3 bucket or object, even if they don’t have an AWS account.
  • Access control lists (ACLs): These are lists that define who has access to your S3 bucket or object.
  • Bucket policies: These are more granular than ACLs and can be used to control access based on the user’s identity, the IP address they are using, or other criteria.
  • Access point policies: These are similar to bucket policies but apply to access points instead of buckets.
  • Access object: Objects are the basic unit of storage. An object can be a file, a directory, or a collection of files. Access objects mean that you can control who has access to your objects and how they can access them. You can do this by using the way is showing above. Such as access control lists (ACLs), bucket policies, and access point policies.

Block public access to buckets and objects granted through new access control lists (ACLs)

“S3 will block public access permissions applied to newly added buckets or objects, and prevent the creation of new public access ACLs for existing buckets and objects. This setting doesn’t change any existing permissions that allow public access to S3 resources using ACLs.”

When you enable this setting, it prevents anyone from accessing your S3 bucket or object through a new ACL. This means that if you create a new bucket or object, and you try to grant public access to it through an ACL, the request will be denied.

However, this setting does not affect any existing ACLs that allow public access. This means that if you have already created an ACL that allows public access to a bucket or object, this setting will not change that.

This setting can be a good way to protect your S3 buckets and objects from unauthorized access. By preventing anyone from creating new ACLs that allow public access, you can help to ensure that your data is only accessible to those who you have explicitly granted access to.

Here’s an analogy that might help you understand this setting:

Imagine that you have a bucket of toys that you want to share with your friends. You could give each of your friends a key to the bucket, but this would be a lot of work and it would be easy for someone to lose their key.

Instead, you could create a new bucket of toys that only you have the key to. This would make it much more difficult for someone to unauthorized access your toys.

The “Block public access to buckets and objects granted through new access control lists (ACLs)” setting is like creating a new bucket of toys that only you have the key to. This setting prevents anyone from creating new ACLs that allow public access to your S3 buckets and objects, which can help to protect your data from unauthorized access.

Block public access to buckets and objects granted through any access control lists (ACLs)

“S3 will ignore all ACLs that grant public access to buckets and objects.” – It is easy to understand now.

Here are the steps on how to set up an access control list (ACL) in the Amazon S3 console:
  1. Go to the Amazon S3 console.
  2. Select the bucket or object that you want to configure an ACL for.
  3. Click the Permissions tab.
  4. Click the Edit button.
  5. In the ACL section, select the Add button.
  6. In the Grantee field, enter the name of the user or group that you want to grant access to.
  7. In the Permissions field, select the permissions that you want to grant.
  8. Click the Save button.

Block public access to buckets and objects granted through new public bucket or access point policies

“S3 will block new bucket and access point policies that grant public access to buckets and objects. This setting doesn’t change any existing policies that allow public access to S3 resources.”

This option prevents anyone from accessing your S3 buckets and objects through new buckets or access point policies that allow public access. This means that if you create a new bucket or access point policy, and you try to grant public access to it, the request will be denied.

However, this setting does not affect any existing bucket or access point policies that allow public access. This means that if you have already created a bucket or access point policy that allows public access to a bucket or object, this setting will not change that.

This setting can be a good way to protect your S3 buckets and objects from unauthorized access. By preventing anyone from creating new bucket or access point policies that allow public access, you can help to ensure that your data is only accessible to those who you have explicitly granted access to.

Block public and cross-account access to buckets and objects through any public bucket or access point policies

“S3 will ignore public and cross-account access for buckets or access points with policies that grant public access to buckets and objects.”

This option is the most restrictive of the four options. It blocks public access through all bucket and access point policies, and it also blocks cross-account access. Cross-account access is when users from other AWS accounts have access to your S3 buckets and objects.