How to disable Internet wide access to the S3 bucket using AWS CLI

Introduction

AWS allows bucket owners to set visibility for a bucket to become accessible over the Internet. Any Internet based user, regardless of their authentication status with AWS can make HTTP requests and access the bucket and the objects via a browser.

This allows for an Internet located attacker to access the bucket using a user agent or using the AWS CLI as well. In case there is some sensitive or critical data within the publicly accessible bucket, it will become available to the attackers as well without any authentication requirement. Based on the quantity and type of data uncovered, it may be possible for Internet located attackers to perform additional attacks within the AWS target environment.

Steps to disable Internet wide access to the S3 bucket in AWS using CLI

Run the command to list the S3 buckets
```
aws s3 ls
```

Run the below command to enable Public Access Block

aws s3api put-public-access-block --bucket <bucket_name> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

enable Public Access Block

Run the command below to confirm Public Access Block is enabled. If it is enabled it will show the values as True under PublicAccessBlockConfiguration
```
aws s3api get-public-access-block --bucket <bucket_name>
```

Riyaz Walikar

Founder & Chief of R&D

Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.

•• See all posts

Riyaz Walikar

Founder & Chief of R&D

•• See all posts

← Back to Academy