← All posts
2 min read

Read each S3 public access block setting

#aws#cli#s3#storage#security
📑 On this page

Part 29 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets protect different access paths. Reading them individually makes security reviews clearer.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3api get-public-access-block \
  --bucket "$BUCKET"

BlockPublicAcls rejects new public ACLs; IgnorePublicAcls stops public ACLs from granting access; the other two guard public bucket policies.

Inspect the result

aws s3api get-public-access-block \
  --bucket "$BUCKET" \
  --query "PublicAccessBlockConfiguration.[BlockPublicAcls,IgnorePublicAcls,BlockPublicPolicy,RestrictPublicBuckets]" \
  --output text

A hardened private bucket should normally return four True values.

One tiny variation

aws s3api get-bucket-policy-status \
  --bucket "$BUCKET" \
  --query PolicyStatus.IsPublic \
  --output text

Policy status answers a different question: whether the current bucket policy is considered public.

Common mistake

A missing bucket-level configuration is not proof that public access is allowed. Account controls, ownership controls, ACLs, and policies all affect the final result.

Cleanup

# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"

Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.

Next, we will learn Enforce bucket owner ownership in S3.

Official AWS CLI reference