How do you make an S3 bucket private and prevent public exposure?
AWS · Basic level
Answer
To keep an S3 bucket private, I enable Block Public Access, disable ACLs with bucket owner enforced mode, avoid public policies, grant only scoped roles, require TLS/encryption where needed, and monitor with Access Analyzer and Config.
Technical explanation
Public exposure can come from bucket policy, ACLs, presigned URLs, broad IAM roles, or CloudFront origin misconfiguration.
S3 security should start with Block Public Access, least-privilege IAM/bucket policies, encryption, ownership controls, and CloudTrail or S3 data-event visibility for sensitive buckets.
Cost management depends on lifecycle policies, storage classes, version retention, object size, retrieval fees, and access patterns.
Operationally, validate bucket policies, KMS permissions, lifecycle effects, and restore behavior before applying broad production changes.
Hands-on example
1. Create a non-production bucket with Block Public Access, bucket owner enforced object ownership, default encryption, and scoped IAM access.
2. Add a policy control relevant to the question, such as deny non-TLS, require SSE-KMS, or restrict access to a VPC endpoint.
3. Enable versioning or lifecycle where relevant, upload test objects, and verify transitions, deletes, restores, and access-denied behavior.
4. Review Access Analyzer, Config, CloudTrail, and Storage Lens before applying the pattern to production.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More AWS interview questions
- What is the AWS shared responsibility model, and where is the line between AWS and the customer?
- Explain the difference between a Region, an Availability Zone, and an Edge Location.
- What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
- Difference between a public and a private subnet, and how does each reach the internet?
- What is the difference between a Security Group and a Network ACL?
- Are Security Groups stateful or stateless? What about NACLs?
- What is an Internet Gateway versus a NAT Gateway, and when do you need each?
- How does a NAT Gateway differ from a NAT instance?