# Amazon S3 policies Amazon S3 policies allow you to centrally manage configurations for Amazon S3 resources at scale across the accounts in an organization. Amazon S3 policies currently support settings for blocking public access. You can use an Amazon S3 policy to specify whether to enable or disable all four Block Public Access settings, and that specification will apply to all Amazon S3 resources within selected accounts. You can use Block Public Access settings in an Amazon S3 policy to enforce consistent security posture across your organization and eliminate the operational overhead of managing individual account configurations. ## How it works When you attach an Amazon S3 policy to an organizational entity, it defines settings that apply to all Amazon S3 resources within accounts in that scope. These configurations override account-level settings, allowing you to centrally manage Amazon S3 settings. Amazon S3 policies can be applied to an entire organization, organizational units (OUs), or individual accounts. Accounts joining an organization will automatically inherit any Amazon S3 policies based on their location in the organization hierarchy. Detachment behavior: If an Amazon S3 policy is detached, accounts automatically revert to their previous account-level configuration. Amazon S3 preserves the original account-level settings to enable seamless restoration. ## Key features + Unified control: All four Block Public Access settings (BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, RestrictPublicBuckets) are controlled together as a single configuration + Automatic inheritance: New accounts automatically inherit policies based on their organizational placement + Override protection: Prevents account-level modifications when organization policies are active + Seamless restoration: Original account settings are preserved and restored when policies are detached ## Prerequisites Before using Amazon S3 policies, ensure you have: + An Amazon organization in all features mode + Permissions to manage Amazon Organizations policies (organizations:CreatePolicy, organizations:AttachPolicy, etc.) + The Amazon S3 policy type enabled for your organization # Best practices for using Amazon S3 policies Best practices When implementing Amazon S3 policies across your organization, following established best practices helps ensure successful deployment and maintenance. ## Start simply and make small changes To simplify debugging, start with simple policies and make changes one item at a time. Validate the behavior and impact of each change before making the next change. This approach reduces the number of variables you have to account for when an error or unexpected result does happen. ## Establish review processes Implement processes to monitor for new policy attributes, evaluate policy exceptions, and make adjustments to maintain alignment with your organizational security and operational requirements. ## Validate changes to your Amazon S3 policies using DescribeEffectivePolicy After you make a change to an Amazon S3 policy, check the effective policies for representative accounts below the level where you made the change. You can view the effective policy by using the Amazon Management Console, or by using the DescribeEffectivePolicy API operation or one of its Amazon CLI or Amazon SDK variants. Ensure that the change you made had the intended impact on the effective policy. ## Communicate and train Ensure your organization understands the purpose and impact of your policies. Provide clear guidance on the expected behaviors and how to handle failures due to policy enforcement. ## Plan for legitimate public access needs Before implementing organization-level policies, identify accounts that require public Amazon S3 buckets for legitimate business purposes (such as static website hosting). Consider using OU-level or account-level policy attachment to exclude these accounts, or consolidate public bucket needs into dedicated accounts. ## Monitor policy enforcement Use Amazon CloudTrail to monitor policy attachment and enforcement actions. Set up EventBridge rules to automate responses to policy violations or changes. # Amazon S3 policy syntax and examples An Amazon S3 policy is a plaintext file that is structured according to the rules of [JSON](http://json.org). The syntax for Amazon S3 policies follows the syntax for all management policy types. For more information, see [Understanding management policy inheritance](orgs_manage_policies_inheritance_mgmt.md). This topic focuses on applying that general syntax to the specific requirements of the Amazon S3 policies and the Block Public Access settings they help manage. The following Amazon S3 policy example shows the basic policy syntax: ``` { "s3_attributes": { "public_access_block_configuration": { "@@assign": "all" } } } ``` ## The Amazon S3 policy syntax includes the following elements `s3_attributes` The top-level key for Amazon S3 policy configuration. `public_access_block_configuration` Defines the Block Public Access behavior for the organization. `@@assign` The assignment operator that accepts one of two values: + `"all"` - Enables all four Amazon S3 Block Public Access settings at the organization level + `"none"` - Disables organization-level control, allowing individual accounts to manage their own Block Public Access settings Amazon S3 Block Public Access has four settings that control public access: 1. **BlockPublicAcls** - Amazon S3 will block public access permissions applied to newly added buckets or objects, and prevent the creation of new public access control lists (ACLs) for existing buckets and objects. This setting doesn't change any existing permissions that allow public access to Amazon S3 resources using ACLs. 1. **BlockPublicPolicy** - Amazon S3 will block new bucket and access point policies that grant public access to buckets and objects. This setting doesn't change any existing policies that allow public access to Amazon S3 resources. 1. **IgnorePublicAcls** - Amazon S3 will ignore all ACLs that grant public access to buckets and objects. 1. **RestrictPublicBuckets** - Amazon S3 will ignore public and cross-account access for buckets or access points with policies that grant public access to buckets and objects. When you set `@@assign` to `"all"`, all four settings are consolidated and enabled at the organization level, providing comprehensive protection against public access across all accounts in your organization.