|   Trend Micro™ Cloud One
Open menu

Enable S3 Block Public Access for AWS Accounts

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial
Security
Risk level: Medium (should be achieved)

Ensure that Amazon S3 Block Public Access feature is enabled at your AWS account level to restrict public access to all your S3 buckets, including those that you create in the future. This feature has the ability to override existing policies and permissions in order to block S3 public access and to make sure that this type of access is not granted to newly created buckets and objects. When configuring Amazon S3 Block Public Access, you have two options for managing public ACLs and two for managing public bucket policies:
1. Manage public Access Control Lists (ACLs):
- Block new public ACLs and uploading public objects (BlockPublicAcls)
- Remove public access granted through public ACLs (IgnorePublicAcls)

2. Manage public S3 bucket policies:
- Block new public bucket policies (BlockPublicPolicy)
- Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets)
By default, this conformity rule checks for all four settings (i.e. BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets) in order to determine if the feature is enabled or not. However, you can customize the rule configuration by disabling/enabling these settings within your Cloud Conformity account.

Unless Amazon S3 service is used for web hosting or public data repositories within your AWS account, blocking public access to all your S3 data will serve as an account-level guard against accidental public exposure. Cloud Conformity strongly recommends that you use Amazon S3 Block Public Access feature for any AWS account that is used for internal applications.

Audit

To determine if Amazon S3 public access is blocked at the AWS account level, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 In the left navigation panel, choose Public access settings for this account.

04 On the Public access settings for this account page, check the configuration status for all the settings available under Manage public access control lists (ACLs) and Manage public bucket policies. If the configuration status for all the settings, i.e. Block new public ACLs and uploading public objects, Remove public access granted through public ACLs, Block new public bucket policies, Block public and cross-account access to buckets that have public policies, is set to False, the Amazon S3 Block Public Access feature is not enabled in your AWS account, therefore public access is not currently restricted for S3 data protection at the AWS account level.

05 Repeat steps no. 1 – 4 to determine the Amazon S3 Public Access Block feature configuration for other AWS accounts.

Using AWS CLI

01 Run get-public-access-block command (OSX/Linux/UNIX) using the AWS account ID as identifier parameter to get the Amazon S3 Public Access Block feature configuration for your AWS account:

aws s3control get-public-access-block
	--region us-east-1
	--account-id 123456789012

02 The command output should return the requested configuration information if the feature is enabled or the "NoSuchPublicAccessBlockConfiguration" error message otherwise:

An error occurred (NoSuchPublicAccessBlockConfiguration) when calling the GetPublicAccessBlock operation: The public access block configuration was not found.

If get-public-access-block command output returns the NoSuchPublicAccessBlockConfiguration error message, as shown in the example above, none of the Amazon S3 Block Public Access configuration settings (i.e. BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets) are enabled within your AWS account, hence the public access is not restricted for S3 data protection at the AWS account level.

03 Repeat step no. 1 and 2 to perform the audit process for other Amazon Web Services (AWS) accounts.

Remediation/Resolution

To enable Amazon S3 Public Access Block feature and deny all public access at your AWS account level, perform the following actions:

Note: By default, to comply with the rule configuration, all four settings – BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets need to be activated in order to enable Amazon S3 Public Access Block.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 In the left navigation panel, choose Public access settings for this account to access the S3 Public Access Block feature configuration page.

04 On the configuration page, under Public access settings for this account, click Edit to enter the feature's edit mode.

05 To enable Amazon S3 Public Access Block, select all four configuration settings:

Amazon S3 Public Access Block

and click the Save button from the top-right menu. These access settings are applied to all your existing S3 buckets and also to those that you create in the future.

06 Within Edit public access settings for this account dialog box, type confirm in the required box, then click Confirm to apply the changes.

07 Repeat steps no. 1 – 6 to restrict Amazon S3 public access for other Amazon Web Services (AWS) accounts.

Using AWS CLI

01 Run put-public-access-block command (OSX/Linux/UNIX) using your AWS account ID as identifier parameter to enable and configure the Amazon S3 Public Access Block feature for the specified AWS account. This public access configuration is applied to all your existing S3 buckets and to those that you create in the future (the command does not produce an output):

aws s3control put-public-access-block
	--region us-east-1
	--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
	--account-id 123456789012

02 Repeat steps no. 1 and 2 to enable Amazon S3 Public Access Block for other AWS accounts.

References

Publication date Apr 10, 2019

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to