How to Lock Down a Public S3 Bucket
A public S3 bucket is usually a leftover "Principal": "*" policy plus Block Public Access being off. The fix is two steps: drop the public policy, then enable all four Block Public Access flags. Here's how.
How a bucket ends up public
Two things have to be true for a bucket to be world-readable, and both are common
leftovers:
1. A bucket policy (or ACL) that grants access to everyone - "Principal": "*".
2. Block Public Access (BPA) turned off, so AWS doesn't override that policy.
Fix both: remove the open grant, then turn BPA on so it can never happen again - even by accident.
Step 1: remove the public policy
aws s3api get-bucket-policy --bucket acme-uploads # see what's there first
aws s3api delete-bucket-policy --bucket acme-uploads
Step 2: turn on all four Block Public Access settings
aws s3api put-public-access-block --bucket acme-uploads \
--public-access-block-configuration \
'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'
All four matter: - BlockPublicAcls / IgnorePublicAcls - reject and ignore public ACLs. - BlockPublicPolicy - reject any new policy that grants public access. - RestrictPublicBuckets - even if a public policy somehow exists, restrict access to it.
With BPA on, a future "Principal": "*" policy is simply refused.
Step 3: verify
aws s3api get-public-access-block --bucket acme-uploads # all four true
aws s3api get-bucket-policy --bucket acme-uploads # should be gone (or scoped)
Defense in depth
- Account-level BPA - enable Block Public Access for the whole account so no bucket can be made public.
- Grant access narrowly - if some objects must be shared, use presigned URLs or a CloudFront origin access setup instead of a public bucket.
- IAM Access Analyzer - continuously flags any bucket exposed outside the account.
Want to try it hands-on? HeyDevJob gives you this exact setup in a live cloud workspace in your browser - edit it, run it, and see it work. Free, nothing to install.
Try it in a workspace →What you'll practice
- Removing a wildcard/public bucket policy
- Enabling all four Block Public Access flags
- Verifying + applying account-level BPA
FAQ
How do I make an S3 bucket private again?
Remove the public bucket policy (aws s3api delete-bucket-policy) and enable all four Block Public Access settings (put-public-access-block). BPA then refuses any future public policy or ACL.
What are the four S3 Block Public Access settings?
BlockPublicAcls and IgnorePublicAcls (reject/ignore public ACLs), BlockPublicPolicy (reject new public bucket policies), and RestrictPublicBuckets (restrict access even if a public policy exists). Turn all four on.
How do I share specific S3 files without making the bucket public?
Use presigned URLs for time-limited access to individual objects, or serve through CloudFront with origin access control. Keep the bucket private with Block Public Access on.
Keep learning
Learn it by doing. Open this in a live cloud workspace, make the change yourself, and keep a record of the work you can share.
Open the workspace →