← All posts
2 min read

Check whether an S3 bucket policy is public

#aws#cli#s3#storage#security#policy
📑 On this page

Part 32 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

S3 can analyze the effective bucket policy and report an IsPublic boolean. This is faster and safer than guessing from one statement.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3api get-bucket-policy-status \
  --bucket "$BUCKET"

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-bucket-policy-status \
  --bucket "$BUCKET" \
  --query PolicyStatus.IsPublic \
  --output text

False is expected for a private demo bucket. A missing policy can return NoSuchBucketPolicy rather than a boolean.

One tiny variation

aws s3api get-public-access-block \
  --bucket "$BUCKET" \
  --query PublicAccessBlockConfiguration

Compare policy status with the bucket guardrails; neither output replaces the other.

Common mistake

Do not treat IsPublic=false as a complete least-privilege review. A non-public policy can still grant broad access to identities in your account or selected external accounts.

Cleanup

# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"

Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.

Next, we will learn Configure S3 CORS for one web origin.

Official AWS CLI reference