How to Lock Down a Public S3 Bucket

A public S3 bucket is usually a leftover "Principal": "*" policy plus Block Public Access being off. The fix is two steps: drop the public policy, then enable all four Block Public Access flags. Here's how.

Security Engineerawss3security

How a bucket ends up public

Two things have to be true for a bucket to be world-readable, and both are common leftovers: 1. A bucket policy (or ACL) that grants access to everyone - "Principal": "*". 2. Block Public Access (BPA) turned off, so AWS doesn't override that policy.

Fix both: remove the open grant, then turn BPA on so it can never happen again - even by accident.

Step 1: remove the public policy

aws s3api get-bucket-policy --bucket acme-uploads   # see what's there first
aws s3api delete-bucket-policy --bucket acme-uploads

Step 2: turn on all four Block Public Access settings

aws s3api put-public-access-block --bucket acme-uploads \
  --public-access-block-configuration \
  'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'

All four matter: - BlockPublicAcls / IgnorePublicAcls - reject and ignore public ACLs. - BlockPublicPolicy - reject any new policy that grants public access. - RestrictPublicBuckets - even if a public policy somehow exists, restrict access to it.

With BPA on, a future "Principal": "*" policy is simply refused.

Step 3: verify

aws s3api get-public-access-block --bucket acme-uploads   # all four true
aws s3api get-bucket-policy --bucket acme-uploads         # should be gone (or scoped)

Defense in depth

Want to try it hands-on? HeyDevJob gives you this exact setup in a live cloud workspace in your browser - edit it, run it, and see it work. Free, nothing to install.

Try it in a workspace →

What you'll practice

FAQ

How do I make an S3 bucket private again?

Remove the public bucket policy (aws s3api delete-bucket-policy) and enable all four Block Public Access settings (put-public-access-block). BPA then refuses any future public policy or ACL.

What are the four S3 Block Public Access settings?

BlockPublicAcls and IgnorePublicAcls (reject/ignore public ACLs), BlockPublicPolicy (reject new public bucket policies), and RestrictPublicBuckets (restrict access even if a public policy exists). Turn all four on.

How do I share specific S3 files without making the bucket public?

Use presigned URLs for time-limited access to individual objects, or serve through CloudFront with origin access control. Keep the bucket private with Block Public Access on.

Keep learning

Close a SQL Injection in a Search EndpointSecurity projectNeutralize a Stored XSS in CommentsSecurity projectRemove Hardcoded Credentials From Source CodeSecurity projectSecurity roadmapStep by step to hiredSecurity interview questionsSTAR answersAll Security projectsProjects hub

Learn it by doing. Open this in a live cloud workspace, make the change yourself, and keep a record of the work you can share.

Open the workspace →