← All posts
2 min read

Block all public access on an S3 bucket

#aws#cli#s3#storage#security
📑 On this page

Part 28 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

S3 Block Public Access is a guardrail over ACLs and bucket policies. Enabling all four bucket settings is a strong default for private storage.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3api put-public-access-block \
  --bucket "$BUCKET" \
  --public-access-block-configuration \
  BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-public-access-block \
  --bucket "$BUCKET" \
  --query PublicAccessBlockConfiguration \
  --output table

Read the returned fields rather than assuming the write succeeded exactly as intended.

One tiny variation

aws s3control get-public-access-block \
  --account-id "$(aws sts get-caller-identity --query Account --output text)"

Account-level settings also participate. S3 applies the most restrictive combination of account and bucket controls.

Common mistake

Block Public Access does not remove an existing ACL or policy document. It changes whether public permissions can be accepted or used. Inspect the underlying policy separately.

Cleanup

# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"

Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.

Next, we will learn Read each S3 public access block setting.

Official AWS CLI reference