Ensure that Amazon S3 Block Public Access feature is enabled at your S3 buckets level to restrict public access to all objects available within these buckets, including those that you upload in the future. In order to enable Amazon S3 Block Public Access for your S3 buckets, you must turn on the following settings:
1. Block new public ACLs and uploading public objects (BlockPublicAcls) – this setting disallows the use of new public buckets or object Access Control Lists (ACLs) and it is usually used to ensure that future PUT requests that include them will fail. Enable this setting to protect against future attempts to use ACLs to make S3 buckets or objects publicly available.
2. Remove public access granted through public ACLs (IgnorePublicAcls) – this setting instructs the S3 service to stop evaluating any public ACL when authorizing a request, ensuring that no bucket or object can be made public by using Access Control Lists (ACLs). This option overrides any current or future public access settings for current and future objects in the configured S3 bucket.
3. Block new public bucket policies (BlockPublicPolicy) – this option disallows the use of new public bucket policies. This setting ensures that an S3 bucket policies cannot be updated to grant public access.
4. Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets) – once this option is enabled, the access to those S3 buckets that are publicly accessible will be limited to the bucket owner and to AWS services. This setting can be used to protect S3 buckets that have public policies while you work to remove the policies. By default, this conformity rule checks for all four settings (as recommended by AWS) in order to determine whether the feature is enabled for the specified bucket. However, you can customize the rule configuration by enabling/disabling these settings within your Cloud Conformity account.
By enabling this feature at the Amazon S3 bucket level, the bucket owners can easily set up centralized controls to limit public access to their S3 data. With Amazon S3 Block Public Access, you have the tools to make sure that you don't make your S3 buckets publicly accessible due to a simple configuration mistake or a misunderstanding.
Audit
To determine if Amazon S3 public access is blocked at the bucket level for specific S3 buckets, perform the following actions:
Remediation/Resolution
To enable Amazon S3 Public Access Block feature and restrict public access at the S3 bucket level, perform the following actions:
Note: By default, to comply with the rule configuration, all four settings – BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets need to be activated in order to enable Amazon S3 Public Access Block.References
- AWS Documentation
- Amazon S3 Frequently Asked Questions
- How Do I Block Public Access to S3 Buckets?
- Using Amazon S3 Block Public Access
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-public-access-block
- put-public-access-block
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable S3 Block Public Access for S3 Buckets
Risk level: Medium