How to block public access to an S3 bucket from multiple AWS accounts
To block public access to an S3 bucket from multiple AWS
accounts, you can follow these steps:
Access Control Policies:
Ensure that there are no bucket policies or access control
lists (ACLs) that grant public access.
Bucket Policy:
Attach a bucket policy that explicitly denies all public
access. Here's an example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
}
]
}Cross-Account Access:
Ensure that there are no cross-account access policies that
allow access from other AWS accounts.
Block Public Access Settings:
In the S3 bucket settings, go to the "Permissions" tab and
scroll down to the "Block public access" section. Enable all
four settings:
Block all public access
Block public access to buckets and objects granted through new
access control lists (ACLs)
Block public access to buckets and objects granted through any
access control lists (ACLs)
Block public access to buckets and objects granted through new
public bucket or access point policies
Access Logging (Optional):
Enable access logging for your S3 bucket. This can help you
track who accesses your bucket.
Regular Auditing:
Regularly review your bucket policies and permissions to ensure
they remain secure. Remember to test thoroughly after making
these changes to ensure that your S3 bucket is no longer
publicly accessible. Keep in mind that denying all public
access may affect legitimate use cases, so be sure to adjust
your policies accordingly.