Ensure that Amazon S3 Block Public Access feature is enabled at your AWS account level to restrict public access to all your S3 buckets, including those that you create in the future. This feature has the ability to override existing policies and permissions in order to block S3 public access and to make sure that this type of access is not granted to newly created buckets and objects. When configuring Amazon S3 Block Public Access, you have two options for managing public ACLs and two for managing public bucket policies:
1. Manage public Access Control Lists (ACLs):
- Block new public ACLs and uploading public objects (BlockPublicAcls)
- Remove public access granted through public ACLs (IgnorePublicAcls)
2. Manage public S3 bucket policies:
- Block new public bucket policies (BlockPublicPolicy)
- Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets)
By default, this conformity rule checks for all four settings (i.e. BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets) in order to determine if the feature is enabled or not. However, you can customize the rule configuration by disabling/enabling these settings within your Cloud Conformity account.
Unless Amazon S3 service is used for web hosting or public data repositories within your AWS account, blocking public access to all your S3 data will serve as an account-level guard against accidental public exposure. Cloud Conformity strongly recommends that you use Amazon S3 Block Public Access feature for any AWS account that is used for internal applications.
To determine if Amazon S3 public access is blocked at the AWS account level, perform the following actions:
To enable Amazon S3 Public Access Block feature and deny all public access at your AWS account level, perform the following actions:Note: By default, to comply with the rule configuration, all four settings – BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets need to be activated in order to enable Amazon S3 Public Access Block.