Description:
Amazon S3 provides 'Block public access (bucket settings)' and 'Block public access (account settings)' to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, 'Block public access (bucket settings)' prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, 'Block public access (account settings)' prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.
Rationale:
Amazon S3 'Block public access (bucket settings)' prevents the accidental or malicious public exposure of data contained within the respective bucket(s).
Amazon S3 'Block public access (account settings)' prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.
Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.
If utilizing Block Public Access (bucket settings)
From Console:
From Command Line:
aws s3 ls
aws s3api put-public-access-block --bucket --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
If utilizing Block Public Access (account settings)
From Console:
If the output reads 'true' for the separate configuration settings then it is set on the account.
From Command Line:
To set Block Public access settings for this account, run the following command:
aws s3control put-public-access-block
--public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true
--account-id
.