Documentation

Block All Public Access to Bucket

When creating a new Amazon S3 bucket via the AWS Console, by default no public access is allowed to the objects. Depending on how you intend to use the bucket with WP Offload Media, this could be a problem.

When “Block All Public Access” is enabled for a bucket, no direct access to the objects (media files) stored in the bucket is allowed. The only way objects can be accessed is by authenticated API requests such as when WP Offload Media manages the media in the bucket, or by other AWS services that have been given explicit permission to access the objects in a policy applied to the bucket.

If you intend to exclusively use Amazon CloudFront for delivery of your offloaded Media Library items, which we strongly recommend, then please follow our CloudFront Setup for Media Offloaded to Amazon S3 doc. That doc allows for full support of the Block All Public Access setting.

If you would prefer to not use a CDN at all and use raw S3 URLs (e.g. https://ianmjones-sandwichcity.s3.eu-west-2.amazonaws.com/…), or wish to use a CDN other than Amazon CloudFront that needs to be able to access the objects in the bucket in order to work, then you must disable Block All Public Access.

Is Block All Public Access Enabled?

Setting Up WP Offload Media with an Amazon S3 Bucket

When setting up WP Offload Media with Amazon S3 for the first time and Block All Public Access is enabled on a pre-existing bucket, WP Offload Media will warn you and offer to disable it for you.

Block All Public Access to Bucket enabled on initial set up of WP Offload Media

When setting up WP Offload Media with Amazon S3 for the first time and Block All Public Access is disabled on a pre-existing bucket, or you create a new bucket through WP Offload Media, there is no warning as there is no action to take.

When WP Offload Media creates an Amazon S3 bucket for you it leaves Block All Public Access turned off by default.

It is very easy to enable Block All Public Access through WP Offload Media.

WP Offload Media Already Configured

With WP Offload Media already configured with Amazon S3 and a bucket selected, you can see whether Block All Public Access is enabled right in the settings page.

Under the bucket’s name and region, you’ll see “Block All Public Access Enabled” or “Block All Public Access Disabled”.

Block All Public Access to Bucket enabled shown with warning on settings page

In the above screenshot Block All Public Access is enabled and a warning is also shown as Amazon CloudFront has not been selected as the Delivery Provider.

AWS Console

You can tell whether a bucket has Block All Public Access enabled or disabled by visiting the Amazon S3 area of the AWS Console.

In the Access column of the list of buckets you’ll see either “Objects can be public” or “Bucket and objects not public”.

Amazon S3 area of AWS Console showing list of buckets with various Access values

“Objects can be public” means Block All Public Access has been disabled. While the bucket itself remains private and its objects can not be listed or edited without authorization, the objects (media files) can be viewed if their URL is known.

“Bucket and objects not public” means Block All Public Access has been enabled. The bucket itself is private and its objects can not be listed, edited or viewed without authorization.

You can also click on the name of a bucket in the list and switch to its Permissions tab.

For a bucket with Block All Public Access disabled you will see the following.

Amazon S3 bucket displayed in AWS Console showing Block All Public Access disabled

For a bucket with Block All Public Access enabled you will see the following.

Amazon S3 bucket displayed in AWS Console showing Block All Public Access enabled

In either case you can click the Edit link to update the Block All Public Access status for the bucket, however it is easier to do this with WP Offload Media.

Enable or Disable Block All Public Access

With WP Offload Media it is easy to enable or disable Block All Public Access for a bucket.

Click the Change link next to the name of the bucket in WP Offload Media’s settings page.

WP Offload Media settings page with Change bucket link highlighted

On the “What bucket would you like to use?” prompt, just click the Save Bucket Setting button as there are no changes needed here.

Change bucket screen with Save Bucket Setting highlighted

You’re now given the opportunity to change the bucket’s Block All Public Access setting.

The dialog shown is different depending on the current state of the Block All Public Access setting, and which Delivery Provider has been chosen.

Disabled with Amazon S3 as Delivery Provider

When Amazon S3 is the current Delivery Provider and Block All Public Access is disabled, WP Offload Media will warn you that enabling Block All Public Access is not a very good idea.

Block All Public Access disabled prompt in WP Offload Media with CloudFront not as Delivery Provider

Don’t enable Block All Public Access unless all your offloaded Media Library items are private and therefore using signed URLs that give explicit authorization to access the objects.

Disabled with a CDN Delivery Provider other than Amazon CloudFront

When another CDN other than Amazon CloudFront is the current Delivery Provider and Block All Public Access is disabled, WP Offload Media will warn you that enabling Block All Public Access is not a good idea.

Block All Public Access disabled prompt in WP Offload Media with CloudFront not as Delivery Provider

Disabled with CloudFront as Delivery Provider

If Amazon CloudFront has already been set up as the Delivery Provider, but Block All Public Access is currently disabled, WP Offload Media prompts you to confirm that everything is set up as expected and enable Block All Public Access.

Check the box to confirm that you’ve set up the Origin Access Identity and have a correct bucket policy, then click the Enable “Block All Public Access” button.

OME CloudFront Setup - Enable Block All Public Access prompt with confirmation checkbox

Enabled with Amazon S3 as Delivery Provider

When Amazon S3 is the current Delivery Provider and Block All Public Access is enabled, WP Offload Media will warn you that having Block All Public Access enabled is not a good idea at all and encourages you to disable it.

Block All Public Access enabled prompt in WP Offload Media with S3 as Delivery Provider

Enabled with a CDN other than Amazon CloudFront as the Delivery Provider

When a CDN other than Amazon CloudFront is the current Delivery Provider and Block All Public Access is enabled, WP Offload Media will warn you that having Block All Public Access is not a good idea at all and encourages you to disable it.

Block All Public Access enabled prompt in WP Offload Media with StackPath as Delivery Provider

Enabled with CloudFront as Delivery Provider

If Amazon CloudFront has already been set up as the Delivery Provider, and Block All Public Access is currently enabled, WP Offload Media lets you know that everything should be fine, you probably want to leave Block All Public Access enabled.

Block All Public Access enabled prompt in WP Offload Media with CloudFront as Delivery Provider

If you’re in the process of switching Amazon CloudFront distributions or switching away from CloudFront altogether, then you may want to disable Block All Public Access.

Disable Block All Public Access

If Block All Public Access is enabled and you disable it because you’re currently using Amazon S3 or another CDN as the Delivery Provider, or about to switch away from Amazon CloudFront, then WP Offload Media will show the following prompt:

Update Object ACLs prompt in WP Offload Media after Block All Public Access disabled

When Block All Public Access is enabled, WP Offload Media is unable to set the permissions on individual objects to allow site visitors to see them. All access must go though Amazon CloudFront which is given permission to deliver the media to your site visitors.

If you later disable Block All Public Access, and stop using Amazon CloudFront, then unless WP Offload Media updates all the objects in the bucket to give them either “private” or “public-read” ACL permissions, your site visitors will not be able to see the media you expect to be public. The objects will have a “private” ACL as this is the default for objects added to Amazon S3 buckets.

Hence, WP Offload Media must run a background process to update all the objects to ensure their ACL status is as expected. This is a relatively fast process as no files are transferred, just permissions set on objects through a number of background batch requests to the Amazon S3 API.

Update Object ACLs background process progress displayed in WP Offload Media

You do not need to stay on WP Offload Media’s settings page while the Update Object ACLs tool is running, WP Offload Media will display a WordPress admin dashboard notice when it has completed.