S3 Block Public Access

Edit online

You can use the S3 Block Public Access feature to set buckets and users to help you manage public access to IBM Storage Ceph object storage S3 resources.

Using this feature, bucket policies, access point policies, and object permissions can be overridden to allow public access. By default, new buckets, access points, and objects do not allow public access.

The S3 API in the Ceph Object Gateway supports a subset of the AWS public access settings:
BlockPublicPolicy
This defines the setting to allow users to manage access point and bucket policies. This setting does not allow the users to publicly share the bucket or the objects it contains. Existing access point and bucket policies are not affected by enabling this setting. Setting this option to TRUE causes the S3:
  • To reject calls to PUT Bucket policy.
  • To reject calls to PUT access point policy for all of the bucket's same-account access points.
Important: Apply this setting at the user level so that users cannot alter a specific bucket's block public access setting.
Note: The TRUE setting only works if the specified policy allows public access.
RestrictPublicBuckets
This defines the setting to restrict access to a bucket or access point with public policy.

The restriction applies to only AWS service principals and authorized users within the bucket owner's account and access point owner's account. This blocks cross-account access to the access point or bucket, except for the cases specified, while still allowing users within the account to manage the access points or buckets.

Enabling this setting does not affect existing access point or bucket policies. It only defines that Amazon S3 blocks public and cross-account access derived from any public access point or bucket policy, including non-public delegation to specific accounts.
Note: Access control lists (ACLs) are not currently supported by IBM Storage Ceph.
Bucket policies are assumed to be public unless defined otherwise. To block public access a bucket policy must give access only to fixed values for one or more of the following:
Note: A fixed value does not contain a wildcard (*) or an AWS Identity and Access Management Policy Variable.
  • An AWS principal, user, role, or service principal
  • A set of Classless Inter-Domain Routings (CIDRs), using aws:SourceIp
  • aws:SourceArn
  • aws:SourceVpc
  • aws:SourceVpce
  • aws:SourceOwner
  • aws:SourceAccount
  • s3:x-amz-server-side-encryption-aws-kms-key-id
  • aws:userid outside the pattern ARIOLEID:*
  • s3:DataAccessPointArn
    Note: When used in a bucket policy, this value can contain a wildcard for the access point name without rendering the policy public, as long as the account ID is fixed.
  • s3:DataAccessPointPointAccount

Example of a policy that is considered public

{
		"Principal": "*", 
		"Resource": "*", 
		"Action": "s3:PutObject", 
		"Effect": "Allow", 
		"Condition": { "StringLike": {"aws:SourceVpc": "vpc-*"}}
	}

To make a policy non-public, include any of the condition keys with a fixed value.

Example of a policy that is considered non-public

{
		"Principal": "*", 
		"Resource": "*", 
		"Action": "s3:PutObject", 
		"Effect": "Allow", 
		"Condition": {"StringEquals": {"aws:SourceVpc": "vpc-91237329"}}
	}
For more information, see the following: