Ensure that Amazon S3 Block Public Access feature is enabled for your AWS account to restrict public access to all your S3 buckets, including those that you create in the future. This feature has the ability to override existing policies and permissions in order to block S3 public access and to make sure that this type of access is not granted to newly created buckets and objects. When configuring Amazon S3 Block Public Access, you have two options for managing public ACLs and two for managing public bucket policies:
1. Manage public Access Control Lists (ACLs):
- Block new public ACLs and uploading public objects (BlockPublicAcls)
- Remove public access granted through public ACLs (IgnorePublicAcls)
2. Manage public S3 bucket policies:
- Block new public bucket policies (BlockPublicPolicy)
- Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets)
By default, this conformity rule checks for all four settings (i.e. BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets) in order to determine if the feature is enabled or not. However, you can customize the rule configuration by disabling/enabling these settings within your Cloud Conformity account.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Unless Amazon S3 service is used for web hosting or public data repositories within your AWS account, blocking public access to all your S3 data will serve as an account-level guard against accidental public exposure. Cloud Conformity strongly recommends that you use Amazon S3 Block Public Access feature for any AWS account that is used for internal applications.
To determine if Amazon S3 public access is blocked at the AWS account level, perform the following actions:
To enable Amazon S3 Public Access Block feature and deny all public access at your AWS account level, perform the following actions:Note: By default, to comply with the rule configuration, all four settings – BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets need to be activated in order to enable Amazon S3 Public Access Block.
- AWS Documentation
- Amazon S3 Frequently Asked Questions
- How Do I Block Public Access to S3 Buckets?
- Using Amazon S3 Block Public Access
- AWS Command Line Interface (CLI) Documentation
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable S3 Block Public Access for AWS Accounts
Risk level: Very High