Skip to main content
The S3 Public Access Block feature provides a set of controls that let you centrally manage public access to S3 buckets. The module enables all four block settings by default, following the AWS security best practice of keeping buckets private unless explicitly required otherwise.

How it works

The aws_s3_bucket_public_access_block resource is created whenever attach_public_policy = true (the default). It applies four independent access block settings to the bucket: 
resource "aws_s3_bucket_public_access_block" "this" {
  count = local.create_bucket && var.attach_public_policy && !var.is_directory_bucket ? 1 : 0

  bucket = aws_s3_bucket.this[0].id

  block_public_acls       = var.block_public_acls
  block_public_policy     = var.block_public_policy
  ignore_public_acls      = var.ignore_public_acls
  restrict_public_buckets = var.restrict_public_buckets
  skip_destroy            = var.skip_destroy_public_access_block
}

Variables

block_public_acls

Default: trueBlocks any PutBucketAcl or PutObjectAcl calls that would grant public access. Also blocks new object uploads made with a public ACL.

block_public_policy

Default: truePrevents new bucket policies from being applied if they would grant public access to the bucket or its objects.

ignore_public_acls

Default: trueCauses S3 to ignore all public ACLs on the bucket and its objects. Existing public ACLs are not removed but their grants are not honored.

restrict_public_buckets

Default: trueRestricts access to the bucket and its objects to only AWS service principals and authorized users within the bucket owner’s account. Cross-account access requires explicit identity-based policies.

Lifecycle and attachment variables

VariableDefaultDescription
attach_public_policytrueWhether to create and attach the aws_s3_bucket_public_access_block resource. Set to false to let upstream infrastructure manage the block settings.
skip_destroy_public_access_blocktrueWhen true, Terraform will not destroy the Public Access Block configuration during terraform destroy. This prevents accidental public exposure during teardown.

Object Ownership

The module also supports controlling S3 Object Ownership, which interacts closely with ACL-based access:
VariableDefaultDescription
control_object_ownershipfalseWhether to manage aws_s3_bucket_ownership_controls on the bucket.
object_ownership"BucketOwnerEnforced"Valid values: BucketOwnerEnforced, BucketOwnerPreferred, ObjectWriter.
With the default BucketOwnerEnforced, ACLs are completely disabled — the bucket owner automatically owns and has full control over every object. This is the recommended setting for most use cases.

Examples

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-private-bucket"

  # These are all true by default — shown here for clarity
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  attach_public_policy             = true
  skip_destroy_public_access_block = true
}
Disabling any of the four block settings opens your bucket and its objects to potential public access. Only disable these settings when your use case explicitly requires it, such as hosting a public static website. Ensure a restrictive bucket policy is in place to limit access to only the operations and principals you intend.

Account-level public access

The block_public_acls, block_public_policy, ignore_public_acls, and restrict_public_buckets variables control settings at the bucket level. AWS also supports configuring these same four settings at the account level, which acts as a guard rail across all buckets in the account. Use the account-public-access submodule to manage account-level Public Access Block settings: 
module "account_public_access_block" {
  source = "terraform-aws-modules/s3-bucket/aws//modules/account-public-access"

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
See the S3 Account-level Public Access Block example for a complete reference.
Account-level block settings override bucket-level settings. If the account-level block_public_policy is true, no bucket policy in the account can grant public access regardless of the bucket-level setting.

Build docs developers (and LLMs) love

Get started for freeTalk to us