We have set following options amidst creation of bucket:
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
to get below restriction for any user trying to change this option:
We have also added below option:
AccessControl: Private
where possible values are: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead
This is a single zone VPC:
1) What is the meaning of Private vs PublicRead?
2) EC2 is created within VPC(by default). Is bucket created outside VPC? in public domain... Where is bucket created?
Private means that only owner has access to that resource, whether it is bucket or object, PublicRead means that resource owner still has full control but allUsersGroup, which means everyone, whether it is IAM user or not has read access to the resource. Both Private and PublicRead specify predefined set of grants or so called canned ACLs.
S3 bucket is not created in your VPC, it lives in AWS plane which is not part of your VPC. So by default, when you make S3 API call from within your VPC, the traffic goes through the Internet. If you need this traffic between resources in your VPC and S3 to go through private network then you need to place VPC Gateway Endpoint for S3 into your VPC and route the S3 traffic through it.
Here is a minimal template containing new VPC, one subnet, S3 VPC endpoint and route table for that subnet with route to S3 endpoint for S3 traffic.
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
MySubnet:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.0.0/24
MyRouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref MyVPC
SubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref MyRouteTable
SubnetId: !Ref MySubnet
S3Endpoint:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcId: !Ref MyVPC
RouteTableIds:
- !Ref MyRouteTable
ServiceName: !Sub com.amazonaws.${AWS::Region}.s3
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/9ni7c.png', '推荐 贪生不怕死 的文章《AccessControl property - s3 bucket》','https://www.manongdao.com/article-1342287.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}