I am very confused with the S3 bucket policy settings.

Here you can choose to block all public access.

However, if you un-select these options, for the public to access the bucket and the objects, you still need to edit/add policies in the "Bucket policy" section:

You need to edit the above policy to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myapp/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity 111111111"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myapp/*"
        }
    ]
}

If you do not specify "Effect": "Allow", "Principal": "*",, then the default policy is "block".

So, why do we need the "Block public access" part if public is already blocked by default?

CodePudding user response：

Block Public Access feature is another layer of protection for buckets. Amazon S3 buckets and objects are private and protected by default, with the option to use Access Control Lists (ACLs) and bucket policies to grant access to other AWS accounts or to public (anonymous) requests.

Before the release of Block Public Access feature, was common to see more data leaks and breaches centered around data stored on S3 due to missconfiguration. It was not Amazon’s fault, was the company’s fault.

So, if you want to make an bucket or objects within publicly accessible, first you need to disable this additional layer of security (disabling it does not means the bucket or objects are public, only means than you can make them public) and then make them public via ACL, bucket policies, etc.

Reference:

Amazon S3 Block Public Access – Another Layer of Protection for Your Accounts and Buckets