Command to make a bucket public

[simonw]

Related to:

• debug-bucket command #86

[simonw]

Here's my prototype:

@cli.command()
@click.argument("bucket")
@common_boto3_options
def make_bucket_public(bucket, **boto_options):
    """
    Make a bucket public. All files will be visible to anyone who knows the URL.

       s3-credentials make-bucket-public my-bucket
    """
    s3 = make_client("s3", **boto_options)
    try:
        print("Putting public access block")
        response1 = s3.put_public_access_block(
            Bucket=bucket,
            PublicAccessBlockConfiguration={
                "BlockPublicAcls": False,
                "IgnorePublicAcls": False,
                "BlockPublicPolicy": False,
                "RestrictPublicBuckets": False,
            },
        )
        print("Putting bucket policy")
        response2 = s3.put_bucket_policy(
            Bucket=bucket,
            Policy=json.dumps(policies.bucket_policy_allow_all_get(bucket)),
        )
    except botocore.exceptions.ClientError as ex:
        click.echo(ex.__dict__, err=True)
        raise click.ClickException(ex)
    click.echo(json.dumps(response1, indent=4, default=str))
    click.echo(json.dumps(response2, indent=4, default=str))

[simonw]

I think it's possible the s3-credentials create name-of-bucket --create-bucket --public command doesn't work correctly because it doesn't do the s3.put_public_access_block bit.

[simonw]

I asked ChatGPT what all of those boolean flags meant and it said:

The PublicAccessBlockConfiguration settings are used to manage public access to your S3 bucket. Each boolean option in this configuration controls a specific aspect of public access:

1. BlockPublicAcls:

   • When set to True, this setting prevents the application of any new public Access Control Lists (ACLs) to the bucket or its objects. It doesn't change the existing ACLs but blocks any attempt to put a new ACL that grants public access.
   • When set to False, it allows the application of new public ACLs to the bucket and its objects.

2. IgnorePublicAcls:

   • When set to True, this setting ignores any public ACLs on the bucket and its objects, effectively treating them as private. Even if an object has a public ACL, it won't be publicly accessible.
   • When set to False, it respects the public ACLs on the bucket and its objects, allowing public access if a public ACL is set.

3. BlockPublicPolicy:

   • When set to True, this setting prevents the application of any new public bucket policies to the bucket. It blocks attempts to put a new bucket policy that grants public access.
   • When set to False, it allows the application of new public bucket policies to the bucket.

4. RestrictPublicBuckets:

   • When set to True, this setting restricts access to the bucket to only AWS services and authorized users within the bucket owner's account, even if the bucket has a public policy. It effectively blocks public access granted by bucket policies.
   • When set to False, it allows public access granted by bucket policies.

By configuring these settings, you can control the level of public access to your S3 bucket and its objects, enhancing the security of your data. For example, setting all options to True provides the strictest level of access control, ensuring that the bucket and its objects are not publicly accessible under any circumstances.

So I think they should all be False if a bucket is going to serve public files.

[simonw]

Related:

• set-public-policy command #81
• Use PublicAccessBlockConfiguration for extra defense in depth against accidental public access #20
• Way to make an existing bucket public or private  #70