InfrastructureAWSGoDatabaseMonitoringRaspberryPIPythonTerraformGitAIDIYData Analytics
Catalogue
ACL Behavior of S3 Objects After Enabling and Then Disabling S3 Block Public Access
Posted 2023-04-05AWS6 minutes read (About 845 words)

ACL Behavior of S3 Objects After Enabling and Then Disabling S3 Block Public Access

🌐 日本語で読む

ToC

Overview

For an S3 bucket that has Block Public Access disabled, I will verify whether
enabling Block Public Access and then disabling it again has any effect on
the ACLs of the objects.

Conclusion First

I was able to confirm that the behavior matches what is described in the official documentation.

For an S3 object with ACL = public-read, enabling Block Public Access makes public access
unavailable, and then disabling Block Public Access makes public access available again.

In the AWS console, the Everyone Read permission disappears when Block Public Access is enabled,
which is momentarily alarming, but I confirmed that it returns to its original state when
Block Public Access is disabled.

Official Documentation Reference

https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/userguide/access-control-block-public-access.html

Block Public Access settings don’t change existing policies or ACLs. Therefore, removing a Block Public Access setting causes a bucket or object with a public policy or ACL to again become publicly accessible.

In other words, enabling Block Public Access and then disabling it has no effect on the object’s ACL.

What to Try

  1. Create an S3 bucket with Block Public Access disabled
  2. Upload a file with acl = public-read to S3
  3. Confirm that the file can be accessed via its S3 object URL
  4. Enable Block Public Access on S3
  5. Confirm that the file cannot be accessed via its S3 object URL
  6. Disable Block Public Access on S3
  7. Confirm that the file can be accessed via its S3 object URL

Trying It Out

Create a test S3 bucket with Terraform 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
resource "aws_s3_bucket" "test" {
  bucket = "test-by-kenzo-tanaka"
}

resource "aws_s3_bucket_acl" "test" {
  bucket = aws_s3_bucket.test.id
  acl    = "private"
}

resource "aws_s3_bucket_versioning" "test" {
  bucket = aws_s3_bucket.test.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_logging" "test" {
  bucket = aws_s3_bucket.test.id

  target_bucket = aws_s3_bucket.logs.id
  target_prefix = "s3/${aws_s3_bucket.test.id}/"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "test" {
  bucket = aws_s3_bucket.test.bucket
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

# Block Public Access disabled
resource "aws_s3_bucket_public_access_block" "test" {
  bucket = aws_s3_bucket.test.id

  ignore_public_acls      = false
  restrict_public_buckets = false
  block_public_acls       = false
  block_public_policy     = false
}

Upload a File with acl = public-read

1
2
3
4
5
6
7
8
9
$ echo "public read" > public_read.txt

// Upload public_read.txt to S3 with acl=public-read (public)
$ aws s3 cp public_read.txt s3://test-by-kenzo-tanaka/ --acl public-read

$ echo "private" > private.txt

// Upload private.txt to S3 with acl=private (not public)
$ aws s3 cp private.txt s3://test-by-kenzo-tanaka/ --acl private

With acl = public-read, I can confirm that the object is in a public state accessible by anyone.

Verify Access via the S3 Object URL

1
2
3
4
5
6
7
8
9
10
11
// Since acl = public-read, the S3 object URL is accessible
$ curl -I https://test-by-kenzo-tanaka.s3.ap-northeast-1.amazonaws.com/public_read.txt

HTTP/1.1 200 OK
...

// Since acl = private, the S3 object URL is not accessible
$ curl -I https://test-by-kenzo-tanaka.s3.ap-northeast-1.amazonaws.com/private.txt

HTTP/1.1 403 Forbidden
...

Enable S3 Block Public Access

1
2
3
4
5
6
7
8
resource "aws_s3_bucket_public_access_block" "test" {
  bucket = aws_s3_bucket.test.id

  ignore_public_acls      = true
  restrict_public_buckets = true
  block_public_acls       = true
  block_public_policy     = true
}

  • Confirm that Block Public Access has been enabled

  • The Everyone Read permission on public_read.txt has disappeared

  • private.txt is unchanged

I confirmed that attempting to access both public_read.txt and private.txt returns 403 Forbidden.

1
2
3
4
5
6
7
8
9
$ curl -I https://test-by-kenzo-tanaka.s3.ap-northeast-1.amazonaws.com/public_read.txt

HTTP/1.1 403 Forbidden
...

$ curl -I https://test-by-kenzo-tanaka.s3.ap-northeast-1.amazonaws.com/private.txt

HTTP/1.1 403 Forbidden
...

Disable S3 Block Public Access Again

Disable Block Public Access once more.

1
2
3
4
5
6
7
8
resource "aws_s3_bucket_public_access_block" "test" {
  bucket = aws_s3_bucket.test.id

  ignore_public_acls      = false
  restrict_public_buckets = false
  block_public_acls       = false
  block_public_policy     = false
}

  • Confirm that Block Public Access has been disabled

  • Confirm that the Everyone Read permission on public_read.txt has been restored

  • private.txt is unchanged

I was able to confirm that public_read.txt becomes publicly accessible again,
while private.txt remains not publicly accessible.

1
2
3
4
5
6
7
8
9
$ curl -I https://test-by-kenzo-tanaka.s3.ap-northeast-1.amazonaws.com/public_read.txt

HTTP/1.1 200 OK
...

$ curl -I https://test-by-kenzo-tanaka.s3.ap-northeast-1.amazonaws.com/private.txt

HTTP/1.1 403 Forbidden
...

Summary

As stated in the conclusion, I was able to confirm that the behavior matches the official documentation.

That’s all.
I hope this is helpful.

ACL Behavior of S3 Objects After Enabling and Then Disabling S3 Block Public Access

https://kenzo0107.github.io/en/2023/04/05/s3-bucket-public-access-block/

Author

Kenzo Tanaka

Posted on

2023-04-05

Licensed under

Like this article? Support the author with

×