Thursday 7 February 2019

Amazon S3 Bucket Public Access Considerations

Amazon S3 provides a set of an appliance to manage access of the buckets and objects. An Access Control List (ACL) is one of these access control appliances. It has come to our attention that some customers have changed default permissions and granted public access to their buckets.

We can grant public access to the bucket using ACLs, we must take the following issues into consideration :

1. Bucket Public "READ" Access :
It allows anybody to get a complete list of the bucket content. It does not grant permissions to read the content of an object. However, a list of object names can provide more information than required to the public. It referred to as "list" access.

2. Bucket Public "WRITE" Access :
It allows anybody to add, delete or replace objects in S3 bucket. This may result in unintended changes on the account. It referred to as "put" or "upload" access.

3. Bucket Public "WRITE ACP" Access :
It allows anybody to modify the access control permissions on the bucket. These entities can add permission to the ACL, an opening bucket to more public access than we require. Example, public WRITE_ACP permission on the bucket enables anybody to modify the ACL and grant permissions such as grant write permission on the bucket to others. It referred to as "edit permissions" access.

You can use ACLs to allow permissions to separate AWS accounts; however, it is firmly suggested that you do not allow public access to your bucket using an ACL.

Security By Default :

Any recently generated bucket is blocked to the public by default, minimizing the risk of accidentally uncover sensitive or private information to the public. Admin can easily revoke public access to older buckets at the account level. AWS has introduced functionality that made it easier for admin to see which buckets are marked as publicly available so they could adjust access controls as required. This product enhancement enables stricter access controls by default, which is welcome news for companies seeking greater peace of mind regarding their data security. While Amazon S3 once allowed a bucket owner to make adjustments to a particular bucket’s visibility settings, it is now possible to make those changes at the AWS account level as well.

Updating ACL to Remove Public Access to Your Buckets :

Use the following steps to remove any public access that you have granted to your bucket via ACL.
1. Sign in to Amazon Web Services and go to your S3 Management Console.
2. Select the bucket from the left. Click the Properties button from right if it's not already enlarged.
3. Refer the Permissions tab and click the Add Bucket Policy link.
4. Select the row that grants permission to everyone. "Everyone" refers to the Amazon S3 All User group.
5. Uncheck all the permissions allowed to everyone (or click x to delete the row). This removes all permissions granted to the public.
6. Click Save to save the ACL.

Best Practices For Protecting Your Amazon S3 Buckets And Objects :

Amazon S3 is a powerful service, and it’s easy to use. But if you don’t pay attention to the security, there can be serious consequences. We highly recommends that you use S3 Bucket Block for publicly accessible as the default setting for any new buckets and objects you may created. Any S3 bucket that has been appointed for internal use only, since there is no need for it to be accessible to the outside world. If you notice that a bucket of yours has been accidentally exposed, you can then go back into your S3 dashboard and set it to “Not public.”

If you have any queries related to this article, then feel free to contact us at

No comments:

Post a Comment

Empower Your Generative AI Innovation with Amazon Bedrock

  In the dynamic world of cloud computing, AWS has consistently set benchmarks with its innovative services and solutions. One of the inter...