Block All Public Access to Bucket
When creating a new Amazon S3 bucket via the AWS Console, by default no public access is allowed to the objects. Depending on how you intend to use the bucket with WP Offload Media, this could be a problem.
When “Block All Public Access” is enabled for a bucket, no direct access to the objects (media files) stored in the bucket is allowed. The only way objects can be accessed is by authenticated API requests such as when WP Offload Media manages the media in the bucket, or by other AWS services that have been given explicit permission to access the objects in a policy applied to the bucket.
If you intend to exclusively use Amazon CloudFront for delivery of your offloaded Media Library items, which we strongly recommend, then please follow our CloudFront Setup for Media Offloaded to Amazon S3 doc. That doc allows for full support of the Block All Public Access setting.
If you would prefer to not use a CDN at all and use raw S3 URLs (e.g. https://media-example-com.s3.eu-west-2.amazonaws.com/…), or wish to use a CDN other than Amazon CloudFront that needs to be able to access the objects in the bucket in order to work, then you must disable Block All Public Access.
Is Block All Public Access Enabled?
There’s a few ways to determine whether Block All Public Access to Bucket is enabled on a bucket being used with WP Offload Media.
Setting Up WP Offload Media with an Amazon S3 Bucket
When setting up WP Offload Media with Amazon S3 for the first time and Block All Public Access is enabled on a pre-existing bucket, WP Offload Media will warn you and offer to disable it for you.
When setting up WP Offload Media with Amazon S3 for the first time and Block All Public Access is disabled on a pre-existing bucket, or you create a new bucket through WP Offload Media, there is no warning as there is no action to take.
When WP Offload Media creates an Amazon S3 bucket for you it leaves Block All Public Access turned off by default.
It is very easy to enable Block All Public Access through WP Offload Media.
WP Offload Media Already Configured
With WP Offload Media already configured with Amazon S3 and a bucket selected, you can see whether Block All Public Access is enabled by clicking the Edit button to the right of “Amazon S3” in the Storage Settings panel’s header.
In the Storage sub page, skip to the “Security” page by clicking Security in the sub navigation.
However, if Block All Public Access to Bucket is enabled and the Delivery Provider does not support it (e.g. it’s not CloudFront), then you will see a very obvious warning in the settings page’s Media tab.
AWS Console
You can tell whether a bucket has Block All Public Access enabled or disabled by visiting the Amazon S3 area of the AWS Console.
Click on the name of a bucket in the list and switch to its Permissions tab. Scroll down to the Block public access (bucket settings) panel.
For a bucket with Block All Public Access disabled you will see a warning icon and the word “Off” in red.
For a bucket with Block All Public Access enabled you will see a circled check mark icon with the word “On” in green.
In either case you can click the Edit link to update the Block All Public Access status for the bucket, however it is easier to do this with WP Offload Media.
IMPORTANT: There is also a Block public access (account settings) page that can be accessed from the Amazon S3 sidebar that can also be used to disable public access to objects in all existing and new buckets. If the AWS account is relatively new, or someone has visited this settings page and turned on the blocking of public access, you may need to visit the page, click “Edit”, clear the “Block all public access” checkbox, and then save the changes.
If you have used WP Offload Media’s “Disable Block All Public Access” button but it does not seem to have worked, or you receive “Access Denied” error messages, please visit that Block public access (account settings) page in the AWS Console.
Enable or Disable Block All Public Access
With WP Offload Media it is easy to enable or disable Block All Public Access for a bucket.
Click the Edit button to the right of “Amazon S3” in the Storage Settings panel’s header.
In the Storage sub page, skip to the “Security” page by clicking Security in the sub navigation.
You’re now given the opportunity to change the bucket’s Block All Public Access setting on the Bucket Security page.
The dialog shown is different depending on the current state of the Block All Public Access setting, and which Delivery Provider has been chosen.
Please note, the Bucket Security page also allows you to manage whether the bucket enforces object ownership, we discuss that in our Amazon S3 Bucket Object Ownership guide.
Disabled with Amazon S3 as Delivery Provider
When Amazon S3 is the current Delivery Provider and Block All Public Access is disabled, WP Offload Media will warn you that enabling Block All Public Access is not a very good idea.
Don’t enable Block All Public Access unless all your offloaded Media Library items are private and therefore using signed URLs that give explicit authorization to access the objects.
Disabled with a CDN Delivery Provider other than Amazon CloudFront
When another CDN other than Amazon CloudFront is the current Delivery Provider and Block All Public Access is disabled, WP Offload Media will warn you that enabling Block All Public Access is not a good idea.
Disabled with CloudFront as Delivery Provider
If Amazon CloudFront has already been set up as the Delivery Provider, but Block All Public Access is currently disabled, WP Offload Media prompts you to confirm that everything is set up as expected and enable Block All Public Access.
Toggle the switch “on” in the “Block All Public Access” panel’s header, and then check the box to confirm that you’ve set up the Origin Access Identity and have a correct bucket policy. If you wish, you can also enforce Object Ownership in the bucket too, that is discussed in our Amazon S3 Bucket Object Ownership doc. Click the Update Bucket Security button to apply the changes.
Enabled with Amazon S3 as Delivery Provider
When Amazon S3 is the current Delivery Provider and Block All Public Access is enabled, WP Offload Media will warn you that having Block All Public Access enabled is not a good idea at all and encourages you to disable it.
Enabled with a CDN other than Amazon CloudFront as the Delivery Provider
When a CDN other than Amazon CloudFront is the current Delivery Provider and Block All Public Access is enabled, WP Offload Media will warn you that having Block All Public Access enabled is not a good idea at all and encourages you to disable it.
Enabled with CloudFront as Delivery Provider
If Amazon CloudFront has already been set up as the Delivery Provider, and Block All Public Access is currently enabled, WP Offload Media lets you know that everything should be fine, you probably want to leave Block All Public Access enabled.
If you’re in the process of switching Amazon CloudFront distributions or switching away from CloudFront altogether, then you may want to disable Block All Public Access.
Disable Block All Public Access
If Block All Public Access is enabled and you disable it because you’re currently using Amazon S3 or another CDN as the Delivery Provider, or about to switch away from Amazon CloudFront, then WP Offload Media will ask whether you would like to add ACLs to the offloaded objects.
When Block All Public Access is enabled, WP Offload Media is unable to set the permissions on individual objects to allow site visitors to see them. All access must go though Amazon CloudFront which is given permission to deliver the media to your site visitors.
If you later disable Block All Public Access, and stop using Amazon CloudFront, then unless WP Offload Media updates all the objects in the bucket to give them either “private” or “public-read” ACL permissions, your site visitors will not be able to see the media you expect to be public. The objects will have a “private” ACL as this is the default for objects added to Amazon S3 buckets.
Hence, WP Offload Media must run a background process to update all the objects to ensure their ACL status is as expected. This is a relatively fast process as no files are transferred, just permissions set on objects through a number of background batch requests to the Amazon S3 API.
Please note that if Block All Public Access is disabled but Object Ownership is Enforced, then this prompt will not be shown as ACLs will still be disabled.
Clicking Yes will start the process of adding ACLs to all the objects in the bucket.
You do not need to stay on WP Offload Media’s settings page while the Update Object ACLs tool is running, WP Offload Media will display a WordPress admin dashboard notice when it has completed.