Certified Security - Specialty

Sign Up Free or Log In to participate!

S3 Bucket Policy vs S3 ACL – Please correct lecture

In the lecture "S3 ACLs", at 5:45, it was mentioned that the object was made "Public" even though the Bucket is "not". 

This is wrong. 

Actually, if you noticed at 1:45 of the same lecture, the bucket in question has already been made Public at the "Bucket level". That is why he was able to make the Object "Hello.txt" to be public in the first place.

You CANNOT make an object public, while the bucket itself is not. AWS is clear about it if you try to do so for any specific object:

Public access is blocked because Block Public Access settings are turned on for this bucket. To determine which settings are turned on, check your bucket settings for Block Public Access. Learn more about using Amazon S3 Block Public Access. 

Furthermore, if you create a new bucket, and turn OFF all the Block public access (bucket settings), and upload an object (an image for example), then that image, by default, WONT be public. A user would have to make it explicitly public (through a bucket policy, or, through the S3 ACL) for it to be public.  

Now, another scenario: if you create a new bucket (or do so through an existing one) and turn ON all the Block public access (bucket settings), and try to create the following Bucket resource policy, it will actually "magically" fail: 


"Version": "2008-10-17",

"Statement": [


"Sid": "2",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:*",

"Resource": "arn:aws:s3:::some_s3_bucket/image1.jpg"




That is, until the Bucket itself is made public by turning OFF the Block public settings (bucket settings).

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?