What does these settings mean for Block Public Access settings in S3?

Question

I am struggling with understanding this section of the AWS document, can a kind soul help to explain these in simpler term?

This is the document page https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

The four settings for Block Public Access: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets.

How does BlockPublicAcls and IgnorePublicAcls work differently?

How does BlockPublicPolicy and RestrictPublicBuckets work differently?

And the paragraph below... the setting will passthrough or apply to the bucket?

Access points don't have ACLs associated with them. If you apply this setting to an access point, it acts as a passthrough to the underlying bucket. If an access point has this setting enabled, requests made through the access point behave as though the underlying bucket has this setting enabled, regardless of whether the bucket actually has this setting enabled.

Answer 1

How does BlockPublicAcls and IgnorePublicAcls work differently?

For example, AWS S3 api has a call such as put-object have option --acl. With this you can not only upload object, but also make it publicly available.

When Block Public Access is off, call

aws s3api put-object --bucket some-bucket --acl public-read --key test.file

successes, and test.file will be not only uploaded, but also publicly available.

Now, if you enable:

• BlockPublicAcls: the above API will fail. Any API which allows --acl public-read will be rejected. So test.file won't be uploaded.
• IgnorePublicAcls: API call succeeds. The file is uploaded, but option --acl public-read is ignored and the file is private.

How does BlockPublicPolicy and RestrictPublicBuckets work differently?

Similarly, you can use put-bucket-policy to apply public bucket policies, e.g.:

{
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": "*",
         "Action": "s3:GetObject",
         "Resource": "arn:aws:s3:::MyBucket/*"
      }
   ]
}

with

aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json 

Now, if you enable:

• BlockPublicPolicy the above API will fail, because the policy allows for public API.

• RestrictPublicBuckets the above API will succeed, and the bucket policy will be applied. However, the policy will be ignored, and objects will be private. Disabling RestrictPublicBuckets will make the policy to work, and the objects will be publicly available.

S3 Access points

There are new ways of controlling access to your objects. Instead of using AWS default S3 endpoint, like in the examples above, you can create your own endpoints and use that. For example:

aws s3api put-object --bucket some-bucket --acl public-read --key test.file --endpoint-url https://<endpoint-name>-<account-id>.s3-accesspoint.<region>.amazonaws.com

A single bucket can have many access points and its endpoints for different purposes. Also, each access point has its own Block Public Access settings and access point policy (similar to bucket policy). The options in Block Public Access for access points work similarly as for bucket, with the exceptions mentioned in the docs you cited.

Answer 2

I can see this can be confusing, however the below should help to illustrate the usage of these.

• BlockPublicAcls - This prevents any new ACLs to be created or existing ACLs being modified which enable public access to the object. With this alone existing ACLs will not be affected.
• IgnorePublicAcls - Any ACLs actions that exist with public access will be ignored, this does not prevent them being created but prevents their effects.
• BlockPublicPolicy - This prevents a bucket policy containing public actions from being created or modified on an S3 bucket, the bucket itself will still allow the existing policy.
• RestrictPublicBuckets - This will prevent non AWS services or authorized users (such as an IAM user or role) from being able to publicly access objects in the bucket.