In S3 bucket, what is the difference between "public" and "Objects can be public"?

1
votes

We have several buckets, some as "public" and others as "Objects can be public". And I don't understand what the difference is?

I don't want any of the buckets to be publicly list-able. And on all buckets I want to be in control what people can access or see. Some keys public (you still need to know the URL to access it, no listing allowed) and some keys private, so you can't even tell it is there.

What is the configuration I should use?

I sometimes get warning notices from AWS, saying the buckets are public and I should check if I really want this. What is the risk? And can I just change the

In both of the configuration under "Permissions" it says

  • Block all public access -- Off
    • Block public access to buckets and objects granted through new access control lists (ACLs) -- Off
    • Block public access to buckets and objects granted through any access control lists (ACLs) -- Off
    • Block public access to buckets and objects granted through new public bucket or access point policies -- Off
    • Block public and cross-account access to buckets and objects through any public bucket or access point policies -- Off

So I don't even see the difference?

1
amazon-web-servicesamazon-s3
docs.aws.amazon.com/AmazonS3/latest/user-guide/… - jellycsc
@jellycsc this doesn't clarify it. - Gunther Schadow

1 Answers

7
votes

For a bucket to be "public", it must have a Bucket Policy that grants some permissions to everybody (*).

For "Objects can be public", the bucket must permit ACLs that allows some objects to be set to public (but not the whole bucket). This requires the "ACL" options of Block Public Access to be "off".

By setting Block Public Access to "on", nothing will be accessible via bucket policies or ACLs. Access will only be possible via IAM permissions.