Making Your AWS S3 Bucket Non - Public: A Comprehensive Guide

Amazon Simple Storage Service (S3) is a highly scalable, reliable, and cost - effective object storage service provided by Amazon Web Services (AWS). By default, S3 buckets can be made public, which means anyone on the internet can access the objects stored within them. However, in many cases, you want to keep your data private and prevent unauthorized access. This blog post will guide software engineers through the process of making an S3 bucket non - public, covering core concepts, typical usage scenarios, common practices, and best practices.

Table of Contents#

  1. Core Concepts
    • What is an S3 Bucket?
    • Public vs. Non - Public Buckets
  2. Typical Usage Scenarios
    • Storing Sensitive Data
    • Corporate Data Storage
    • User - Specific Content
  3. Common Practices to Make an S3 Bucket Non - Public
    • Block Public Access Settings
    • Bucket Policies
    • Access Control Lists (ACLs)
  4. Best Practices
    • Regular Auditing
    • Least Privilege Principle
    • Multi - Factor Authentication (MFA)
  5. Conclusion
  6. FAQ
  7. References

Article#

Core Concepts#

What is an S3 Bucket?#

An S3 bucket is a container for objects stored in Amazon S3. You can think of it as a virtual storage folder. Buckets are the fundamental unit of storage in S3, and they are created in a specific AWS region. Each bucket has a unique name globally across all AWS accounts. Objects stored in a bucket can range from simple text files to large media files.

Public vs. Non - Public Buckets#

A public S3 bucket means that the bucket and its objects are accessible to anyone on the internet. This is achieved through settings like public bucket policies or permissive access control lists (ACLs). On the other hand, a non - public bucket restricts access to only authorized users or services. Only those with the appropriate permissions, such as AWS Identity and Access Management (IAM) users or roles, can access the bucket and its contents.

Typical Usage Scenarios#

Storing Sensitive Data#

Many organizations store sensitive data such as customer information, financial records, and trade secrets in S3 buckets. For example, a healthcare company might store patient medical records in an S3 bucket. Making the bucket non - public ensures that only authorized medical staff can access this sensitive information, protecting patient privacy and complying with regulations like the Health Insurance Portability and Accountability Act (HIPAA).

Corporate Data Storage#

Companies often use S3 for storing corporate data, including internal documents, project files, and backups. By keeping these buckets non - public, the company can maintain the confidentiality of its data and prevent competitors or unauthorized employees from accessing sensitive business information.

User - Specific Content#

Web applications that allow users to upload and store personal content, such as photos or videos, can use S3 buckets. Each user's content should be stored in a non - public bucket so that only the user and authorized application components can access their data. This enhances user privacy and security.

Common Practices to Make an S3 Bucket Non - Public#

Block Public Access Settings#

AWS provides a simple way to block public access to S3 buckets through the Block Public Access settings. You can configure four different settings:

  • Block public access to buckets and objects granted through new access control lists (ACLs)
  • Block public access to buckets and objects granted through any access control lists (ACLs)
  • Block public access to buckets and objects granted through new public bucket policies
  • Block public and cross - account access to buckets and objects through any public bucket policies

To set these options, navigate to the S3 console, select the bucket, and click on the "Block public access (bucket settings)" tab. Then, enable the desired settings.

Bucket Policies#

Bucket policies are JSON - based access policies that you can attach to an S3 bucket. You can use bucket policies to define who can access the bucket and what actions they can perform. For example, the following bucket policy restricts access to a specific IAM user:

{
    "Version": "2012 - 10 - 17",
    "Statement": [
        {
            "Sid": "RestrictAccessToUser",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your - bucket - name/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:userId": "your - user - id"
                }
            }
        }
    ]
}

Access Control Lists (ACLs)#

ACLs are another way to control access to S3 buckets and objects. ACLs are legacy access control mechanisms, but they are still supported. You can use ACLs to grant or deny permissions to specific AWS accounts or predefined groups. To manage ACLs, go to the bucket properties in the S3 console and click on the "Permissions" tab.

Best Practices#

Regular Auditing#

Regularly audit your S3 bucket permissions to ensure that no unauthorized public access has been accidentally granted. You can use AWS Config, which provides a detailed inventory of your AWS resources and their configurations. AWS Config can monitor S3 bucket public access settings and alert you if any changes are made that could potentially expose your data.

Least Privilege Principle#

Follow the principle of least privilege when granting permissions to S3 buckets. Only grant users or services the minimum permissions necessary to perform their tasks. For example, if a user only needs to read objects from a bucket, do not grant them write or delete permissions.

Multi - Factor Authentication (MFA)#

Enable MFA for users who have access to sensitive S3 buckets. MFA adds an extra layer of security by requiring users to provide a second form of authentication, such as a one - time password from a mobile device, in addition to their regular credentials.

Conclusion#

Making an S3 bucket non - public is crucial for protecting sensitive data and maintaining the security and privacy of your information. By understanding the core concepts, typical usage scenarios, and common practices, software engineers can effectively secure their S3 buckets. Additionally, following best practices like regular auditing, the least privilege principle, and enabling MFA can further enhance the security of your S3 storage.

FAQ#

Can I still access my non - public S3 bucket if I forget my credentials?#

Yes, you can use AWS Identity and Access Management (IAM) to reset your credentials. If MFA is enabled, you will need to follow the appropriate MFA recovery procedures.

What if I need to share some objects in a non - public bucket with others?#

You can use pre - signed URLs. A pre - signed URL allows you to grant temporary access to a specific object in your bucket to anyone with the URL. The URL has an expiration time, so you can control how long the access is valid.

Are there any costs associated with making an S3 bucket non - public?#

No, there are no additional costs for making an S3 bucket non - public. The costs associated with S3 are based on storage usage, data transfer, and requests, which are not affected by the public or non - public status of the bucket.

References#

2025-10