Practice Now
AWS
S3
cloud storage
data privacy
access control

S3 make a public folder private again?

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Start PracticingLearn More

Introduction

In Amazon S3, a “folder” is usually just a key prefix such as images/ or exports/. Making that prefix public or private is really about the policies and object permissions that apply to the matching keys.

To make a public prefix private again, you need to remove whatever grants anonymous access. That usually means checking bucket policy, public ACLs on existing objects, and Block Public Access settings.

Start by Identifying How Access Was Granted

S3 public access commonly comes from one of three places:

  • a bucket policy with Principal: "*"
  • public object ACLs such as public-read
  • static website configuration combined with permissive policy rules

The fix depends on which mechanism was used. Block Public Access is the strongest safety net, but it does not retroactively explain why access was open in the first place, so inspect the bucket carefully.

Turn On Block Public Access

If this bucket should not expose objects publicly, enable Block Public Access at the bucket level. This prevents new public ACLs or policies from re-opening data accidentally.

bash
1aws s3api put-public-access-block \
2  --bucket my-private-bucket \
3  --public-access-block-configuration \
4  BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

This is the first control I would set, because it closes the easiest paths back to anonymous access.

Remove Public Bucket Policy Statements

If the bucket policy allows s3:GetObject for everyone on a prefix, delete or tighten that statement.

json
1{
2  "Effect": "Allow",
3  "Principal": "*",
4  "Action": "s3:GetObject",
5  "Resource": "arn:aws:s3:::my-private-bucket/images/*"
6}

That statement makes the images/ prefix publicly readable. Remove it or replace it with a narrower principal such as a specific IAM role, CloudFront origin access control, or AWS account.

You can fetch the current policy first:

bash
aws s3api get-bucket-policy --bucket my-private-bucket

Then update it with a revised policy document using put-bucket-policy.

Clean Up Existing Object ACLs if Needed

Modern S3 setups often avoid ACLs entirely, but older buckets may still have objects marked public-read. If so, remove the public grant or reset ownership controls and object ACLs.

bash
1aws s3api put-object-acl \
2  --bucket my-private-bucket \
3  --key images/photo.jpg \
4  --acl private

If many objects were exposed through ACLs, you will need to update those objects individually or through a controlled bulk process. The important point is conceptual: changing one “folder” setting is not enough if the objects themselves carry public ACLs.

Verify with an Anonymous Request

After tightening permissions, verify from outside your AWS identity context. The quickest check is an unauthenticated curl against a known object URL. A private object should return an access denied response instead of the file contents.

If access still works, one of the permission layers is still open. Check CloudFront, website hosting, replicated buckets, or a second overlapping policy.

Think in Terms of Principals, Not Folders

The safer mental model is: “Which principal can call GetObject on which keys?” Once you frame the problem that way, S3 behavior becomes easier to reason about. Prefixes are just part of the resource ARN. They are not security containers by themselves.

That distinction matters in audits. A bucket can be private by default while one prefix stays public because of one policy statement.

Common Pitfalls

  • Treating an S3 folder like a real directory with its own permission object. In S3, prefixes are naming conventions, not separate containers.
  • Removing a public bucket policy but forgetting public object ACLs. Legacy ACLs can still expose data.
  • Skipping Block Public Access. Without it, future changes can accidentally reintroduce public access.
  • Testing while still authenticated in the AWS console or CLI. That can hide the fact that anonymous access is already blocked.
  • Forgetting downstream distribution layers. CloudFront or static website hosting can still serve cached or proxied objects.

Summary

  • S3 “folders” are prefixes, so privacy depends on policies and object permissions.
  • Enable Block Public Access to prevent accidental anonymous exposure.
  • Remove any bucket policy statements that grant GetObject to everyone.
  • Reset public ACLs on objects if the bucket still uses ACL-based access.
  • Verify with an anonymous request so you know public access is actually gone.
Course illustration
Course illustration
Codemia
© 2026 Codemia
Resources
Legal
Social
All Rights Reserved.