How to enable public access block to restrict access in S3 using AWS CLI

Riyaz Walikar
Feature image


S3 buckets can be configured to allow the global principal to access the bucket via the bucket policy or through ACL. This policy should be restricted only to known users or accounts. Setting the bucket policy to public access would make all the contents in the bucket public.

AWS allows users to set visibility and access permissions for a bucket and the objects within at a granular level using bucket policies. One of the most dangerous configurations is to have a bucket with public Internet wide access with all objects within becoming public. An S3 bucket with full access to any Internet user has the All Users group permission, represented by http://acs.amazonaws.com/groups/global/AllUsers assigned to it. An attacker can simply browse to the HTTP address of the S3 bucket with a browser and download objects from within.

The most common cause of data breaches in AWS, the exposure of buckets and their contains will result in a data incident. Based on the quantity and type of data uncovered, it may be possible for additional attacks within the AWS target environment.

Enable public access block for S3 Bucket using CLI

  1. Run the command to list the S3 buckets

    aws s3api list-buckets

    list the S3 buckets

  2. Run the below command to enable Public Access Block

    aws s3api put-public-access-block --bucket <bucket_name> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

    Specify the name of the S3 bucket whose PublicAccessBlock configuration you want to set.

    restrict access in s3

  3. Run the command to check if the Public Access Block is enabled or not

    aws s3api get-public-access-block --bucket <bucket_name>

    Public Access Block is enabled

← Back to Academy