Amazon S3 Block Public Access

Activate it now! Block all public access to your S3 data, now and in the future

Store your data in Amazon S3 and secure it from unauthorized access with S3 Block Public Access. Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access.

To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access. With a few clicks in the S3 management console, you can apply S3 Block Public Access to every bucket in your account – both existing and any new buckets created in the future – and make sure that there is no public access to any object. S3 Block Public Access is enabled by default for all new buckets

Amazon S3: Configuring Access Policies (10:36)

S3 Block Public Access

S3 Block Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future.

Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. In order to ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access at the account level. These settings apply account-wide for all current and future buckets.

AWS recommends that you turn on Block all public access, but before applying any of these settings, ensure that your applications will work correctly without public access. If you require some level of public access to your buckets or objects, you can customize the individual settings below to suit your specific storage use cases.

All new buckets have Block Public Access enabled by default. If you want to restrict access to all existing buckets in your account, you can enable Block Public Access at the account level. S3 Block Public Access settings override S3 permissions that allow public access, making it easy for the account administrator to set up a centralized control to prevent variation in security configuration regardless of how an object is added or a bucket is created.

If an object is written to an AWS Account or S3 bucket with S3 Block Public Access enabled, and that object specifies any type of public permissions via ACL or policy, those public permissions are blocked. 

In addition to the S3 console, you can enable S3 Block Public Access via the AWS CLI, SDKs, or REST APIs. Detailed instructions for either option are available in the S3 Block Public Access documentation. Remember that you can always check for public buckets in the S3 Console (we flag buckets with objects containing public permissions prominently there), and you can also use AWS Trusted Advisor’s S3 Bucket Permissions Check to notify you of any open buckets at no cost to you.

How it works

AWS News Blog

S3 Block Public Access - Another layer of protection for accounts and buckets

Amazon S3 Block Public Access provides a new level of protection that works at the account level and also on individual buckets, including those that you create in the future. You have the ability to block existing public access (whether it was specified by an ACL or a policy) and to ensure that public access is not granted to newly created items.

Read the blog »

AWS News Blog

Heads-up: Amazon S3 security changes are coming in April of 2023

Starting in April of 2023, we will be making two changes to Amazon S3 to put our latest best practices for bucket security into effect automatically. Once the changes are in effect for a target Region, all newly created buckets in the Region will by default have S3 Block Public Access enabled and ACLs disabled. 

Read the blog »

AWS Storage Blog

Learn how to use Amazon S3 Block Public Access and S3 Object Lock

One of the reasons S3 has been so successful is our focus on data security right from the beginning. We continuously invest to raise the bar on security for storage, and work with customers to meet ever-increasing security needs while holding true to our mission to keep storage simple.

Read the blog »

AWS News Blog

AWS Config Update - New Managed Rules to Secure S3 Buckets

Today we are adding two new managed rules that will help you to secure your S3 buckets. You can enable these rules with a single click. The two new rules are: s3-bucket-public-write-prohibited and s3-bucket-public-read-prohibited. Automatically identifying buckets that allow global write and read access.

Read the blog »
Take the S3 Block Public Access training

Learn how to turn S3 Block Public Access on.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with Amazon S3 in the AWS Management Console.

Sign in