Block all public access on an S3 bucket
📑 On this page
Part 28 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
S3 Block Public Access is a guardrail over ACLs and bucket policies. Enabling all four bucket settings is a strong default for private storage.
Before you run it
aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.
The command
aws s3api put-public-access-block \
--bucket "$BUCKET" \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=trueA successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
aws s3api get-public-access-block \
--bucket "$BUCKET" \
--query PublicAccessBlockConfiguration \
--output tableRead the returned fields rather than assuming the write succeeded exactly as intended.
One tiny variation
aws s3control get-public-access-block \
--account-id "$(aws sts get-caller-identity --query Account --output text)"Account-level settings also participate. S3 applies the most restrictive combination of account and bucket controls.
Common mistake
Block Public Access does not remove an existing ACL or policy document. It changes whether public permissions can be accepted or used. Inspect the underlying policy separately.
Cleanup
# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.
Next, we will learn Read each S3 public access block setting.