Learn how to restrict public access to S3 buckets, enhancing data security by configuring
or modifying the PublicAccessBlock policy through put-bucket-policy S3
API.
About this task
To apply PublicAccessBlock policy to the bucket, first apply a policy that grants public access,
and then apply the PublicAccessBlock policy. The policy is applied through
put-bucket-policy S3 API, which is similar to Amazon S3. For more information, see
PutPublicAccessBlock in Amazon S3 API Reference
Guide.
Important: The Multicloud Object Gateway (MCG) checks the PublicAccessBlock policy
configuration for both the bucket that contains the object and the bucket owner’s account during
evaluating the PublicAccessBlock policy for a bucket or an object.
Restriction: Only bucket-wide policy is supported and not account-wide policy. Also,
access control lists (ACLs) are not supported within the policy.
Procedure
-
Allow a general access policy.
Command example:
{
"Version": "2025-06-25",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
]
}
]
}
- Set the PublicAccessBlock policy.
The default PublicAccessBlock policy configuration is as follows:
{
{
"BlockPublicPolicy": false,
"RestrictPublicBuckets": false
}
}
To block public policies and restrict public buckets, set the value to
true as
follows:
{
{
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}
}
The following configuration is not supported:
{
{
"BlockPublicAcls": false, <-- Not allowed even as false
"IgnorePublicAcls": false, <-- Not allowed even as false
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}
}
- Apply the PublicAccessBlock policy by using the
put-public-access-block
command. Command
example:
alias s3api=AWS_ACCESS_KEY_ID=<access_key> AWS_SECRET_ACCESS_KEY=<secret_key> aws s3api --no-verify-ssl --endpoint <endpoint> --no-verify put-public-access-block --bucket <bucket_name> --public-access-block-configuration file://<configuration_file_path>. * *