1. Assessment

  • Inventory S3 buckets and their Block Public Access settings
  • Inspect S3 bucket and object ACLs for public or anonymous access
  • Inspect S3 bucket policies for public or anonymous access
  • User: Select S3 buckets to lock down and enable Block Public Access

2. Configuration

  • Enable Block Public Access on selected S3 buckets
  • Remove public or anonymous ACL grants from selected buckets and objects
  • Update bucket policies to remove public or anonymous access

3. Validation

  • Validate Block Public Access configuration on selected buckets
  • Validate selected S3 buckets are no longer publicly accessible
1 Credits

Enforce S3 Block Public Access and Remove Public Access Controls

Overview

Lock down public access to your Amazon S3 buckets by enabling S3 Block Public Access and removing public ACLs and bucket policy statements. This plan evaluates all in-scope buckets, highlights where public or anonymous access exists, guides you in choosing which buckets to secure, applies the configuration changes, and then validates that the buckets are no longer publicly accessible.

The approach is divided into three phases:

  • Assessment – Discover S3 buckets, review their Block Public Access settings, ACLs, and bucket policies, and present findings so you can choose which buckets to lock down.
  • Configuration – Enable Block Public Access on the selected buckets, remove public ACLs, and update bucket policies to eliminate unintended public or anonymous access.
  • Validation – Verify that Block Public Access is correctly configured and that the selected buckets are not publicly accessible via ACLs or policies.

Execution Details

Assessment

Inventory S3 buckets and Block Public Access settings

Identify which S3 buckets should be evaluated and record their public access posture:

  • Define the scope of buckets (for example, all buckets, specific Regions, or name patterns).
  • List the in-scope buckets and record their names and Regions.
  • Retrieve bucket-level Block Public Access settings for each bucket.
  • Classify each bucket as fully enabled, partially enabled, or disabled for Block Public Access based on the four settings (BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets).
  • Store these results in a structured format for later use.

Inspect bucket and object ACLs for public or anonymous access

Analyze ACLs to detect where public or broadly accessible grants exist:

  • For each in-scope bucket, retrieve and record the bucket ACL, including all grants and grantees.
  • Identify ACL grants that reference the AllUsers or AuthenticatedUsers groups, indicating public or anonymous access.
  • Correlate ACL findings with BlockPublicAcls and IgnorePublicAcls settings to note where public ACLs are effectively blocked but still configured.
  • Sample object ACLs (for example, by common prefixes or subsets of keys) to detect object-level public grants.
  • Summarize, per bucket, whether public access is present through bucket or object ACLs and store the findings for planning cleanup.

Inspect bucket policies for public or anonymous access

Review bucket policies to find policy-based public exposure:

  • Determine which buckets have an attached bucket policy and retrieve the policy JSON where present.
  • Parse each policy and record its statements (Effect, Principal, Action, Resource, Condition).
  • Identify statements with public or anonymous access, such as Principal "*" or conditions that allow access from public IP ranges (e.g., 0.0.0.0/0).
  • Differentiate between truly public access and configurations that restrict access using conditions (for example, VPC endpoints or specific principals).
  • Summarize for each bucket how policy statements may allow public or anonymous access and store these results for later modification.

User selection of buckets to lock down

Present the collected information so you can decide which buckets to secure:

  • Show each in-scope bucket with its Block Public Access status, ACL findings, and policy findings.
  • Highlight buckets with any form of public or anonymous access and those without full Block Public Access enabled.
  • Guide you through selecting buckets to lock down by enabling Block Public Access and removing public ACLs and policy statements.
  • Capture a final, user-approved list of buckets to secure, along with any buckets you choose to exclude and optional rationale.
  • Store the approved target list for the configuration phase.

Configuration

Enable Block Public Access on selected buckets

Apply recommended Block Public Access settings to the buckets you chose:

  • Use the user-approved list of buckets to lock down.
  • Review current Block Public Access configuration for each selected bucket.
  • Determine the desired configuration (typically enabling all four settings).
  • Apply the updated Block Public Access settings to each bucket.
  • Re-check each bucket to confirm the intended settings are active, and document the final configuration for validation.

Remove public ACLs from selected buckets and objects

Clean up ACL-based public access while preserving required private access:

  • Use the selected bucket list and previous ACL findings as a guide.
  • For each selected bucket, identify grants in the bucket ACL that refer to AllUsers or AuthenticatedUsers.
  • Remove or adjust those public or anonymous grants, ensuring that necessary non-public access (such as the bucket owner or specific accounts) remains.
  • Where required, target specific object prefixes or a defined set of objects to review and clean object ACLs that include public grants.
  • Confirm, by re-checking the bucket and sampled object ACLs, that public or anonymous grants have been removed.
  • Document all ACL changes made per bucket, including any ACLs that could not be modified and why.

Update bucket policies to remove public access

Align bucket policies with the new Block Public Access posture:

  • Use the selected bucket list and prior policy inspection results to identify affected policies.
  • For each selected bucket, locate all policy statements that grant public or anonymous access (for example, Principal "*" with broad permissions or public IP ranges).
  • Decide whether each public statement can be removed entirely or needs to be tightened (for example, scoping to specific principals, VPC endpoints, or CIDR ranges).
  • Update the bucket policy accordingly, ensuring it remains valid and continues to support required non-public access.
  • Reapply and retrieve the updated policy to confirm that no unintended public or anonymous access remains.
  • Record all policy changes and any justified exceptions that must remain public.

Validation

Validate Block Public Access configuration on selected buckets

Confirm that Block Public Access is correctly enforced:

  • Retrieve the Block Public Access configuration for each bucket that was locked down.
  • Verify that each has the intended settings enabled (typically all four options).
  • Identify any buckets that do not fully meet the desired configuration and note recommended remediation steps.
  • Produce a summary indicating which buckets fully meet the Block Public Access requirements.

Validate selected buckets are no longer publicly accessible

Ensure there is no remaining public access via ACLs or policies:

  • For each locked-down bucket, confirm that the bucket ACL no longer includes AllUsers or AuthenticatedUsers grants.
  • If object ACLs were sampled and cleaned, re-check representative objects to verify public grants are removed.
  • Review each bucket’s current policy to ensure no statements still provide unintended public or anonymous access.
  • Confirm that Block Public Access settings, ACLs, and policies are consistent and effectively prevent public exposure.
  • Produce a final validation report listing all buckets confirmed as not publicly accessible and calling out any remaining issues or required exceptions.