AWS Certified Solutions Architect - Associate (SAA-C02)

Sign Up Free or Log In to participate!

Do objects added to an S3 bucket inherit the public access setting that the bucket had at the time they were added?

In lecture 5.2 of the AWS CSA-A course, "Securing Your Bucket with S3 Block Public Access", Ryan demonstrates that buckets are born with block public access on by default. He then adds two objects and removes the bucket-level block. The objects still block public access and must have their ACLs set to allow it.

It would be helpful if Ryan had mentioned what happens if you first allow bucket-level public access and then add objects. Do the objects inherit the public access setting? I’m gonna go find out…

5 Answers

Do you want to know how to file a cash app dispute?

Are you searching to know how to file a cash app dispute if yes then you have reached your destination. At this place you will know to file a cash app dispute with just a click yes you just have to click this given link and you will get the answers to all your questions.

I’m back to answer my own question. The long answer is, "it’s complicated." When Ryan switches off bucket-level Block Public Access in his demonstration, you will notice four additional options on that configuration screen that allow you to decide how to handle what happens to "new" objects and buckets.

If you repeat Ryan’s demo except turn off bucket-level Block Public Access before you upload objects, it doesn’t change the outcome. The objects are still NOT publicly accessible until you set their ACLs.

I believe you can create a bucket policy on a public bucket that automatically makes all new objects public by default.

I think even if you uncheck the block public access by default, it just give you an option to make the files in the bucket public i.e. it doesn’t automatically enables it for you but gives you an option to make an object public using ACLs.

I feel it could be in line with the principle of least privilege and way to add a layer to check to ensure you dont by mistake make all files enabled especially if the bucket is accessible by multiple users.

An object doesn’t inherit permissions from it’s bucket, rather they are subject to the access controls configured using bucket policies, bucket ACLs, object ACLs and user policies (for example granting permissions to a user group). As Ryan shows in the next video you can configure a bucket policy to apply to all objects by adding  a policy with action s3:GetObject on the bucket. The AWS documentation outlines some use cases

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?