Logo of Trend Micro

Enable S3 Block Public Access for S3 Buckets

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Very High (act immediately)
Rule ID: S3-026

Ensure that Amazon S3 Block Public Access feature is enabled for your S3 buckets to restrict public access to all objects available within these buckets, including those that you upload in the future. In order to enable Amazon S3 Block Public Access for your S3 buckets, you must turn on the following settings:
1. Block new public ACLs and uploading public objects (BlockPublicAcls) – this setting disallows the use of new public buckets or object Access Control Lists (ACLs) and it is usually used to ensure that future PUT requests that include them will fail. Enable this setting to protect against future attempts to use ACLs to make S3 buckets or objects publicly available.

2. Remove public access granted through public ACLs (IgnorePublicAcls) – this setting instructs the S3 service to stop evaluating any public ACL when authorizing a request, ensuring that no bucket or object can be made public by using Access Control Lists (ACLs). This option overrides any current or future public access settings for current and future objects in the configured S3 bucket.

3. Block new public bucket policies (BlockPublicPolicy) – this option disallows the use of new public bucket policies. This setting ensures that an S3 bucket policies cannot be updated to grant public access.

4. Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets) – once this option is enabled, the access to those S3 buckets that are publicly accessible will be limited to the bucket owner and to AWS services. This setting can be used to protect S3 buckets that have public policies while you work to remove the policies. By default, this conformity rule checks for all four settings (as recommended by AWS) in order to determine whether the feature is enabled for the specified bucket. However, you can customize the rule configuration by enabling/disabling these settings within your Cloud Conformity account.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

By enabling this feature at the Amazon S3 bucket level, the bucket owners can easily set up centralized controls to limit public access to their S3 data. With Amazon S3 Block Public Access, you have the tools to make sure that you don't make your S3 buckets publicly accessible due to a simple configuration mistake or a misunderstanding.

Audit

To determine if Amazon S3 public access is blocked at the bucket level for specific S3 buckets, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Permissions tab from the S3 dashboard top menu to view bucket permissions.

05 On the Permissions panel, under Public access settings for this bucket, check the configuration status for all the settings available under Manage public access control lists (ACLs) and Manage public bucket policies. If the configuration status for all the settings, i.e. Block new public ACLs and uploading public objects, Remove public access granted through public ACLs, Block new public bucket policies and Block public and cross-account access to buckets that have public policies, is set to False, the Amazon S3 Block Public Access feature is not enabled for the selected S3 bucket, therefore public access is not currently restricted at the bucket level for the specified S3 bucket.

06 Repeat steps no. 3 – 5 to determine the Amazon S3 Public Access Block feature configuration for other S3 buckets available within your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all S3 buckets available in your AWS account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets: 

[
    "cc-internal-data",
    "cc-project5-logs"
]

03 Run get-public-access-block command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to examine as identifier to return the S3 Block Public Access feature configuration set for the selected Amazon S3 bucket: 

aws s3api get-public-access-block
	--bucket cc-internal-data

04 The command output should return the requested configuration information if the feature is enabled. If the result is the "NoSuchPublicAccessBlockConfiguration" error message or if all values are set to false then the feature is disabled. 

An error occurred (NoSuchPublicAccessBlockConfiguration) when calling the GetPublicAccessBlock operation: The public access block configuration was not found.

"PublicAccessBlockConfiguration": {
  "BlockPublicAcls": false,
  "IgnorePublicAcls": false,
  "BlockPublicPolicy": false,
  "RestrictPublicBuckets": false
}

If the command output returns either the NoSuchPublicAccessBlockConfiguration error message or configuration values all set to false, as shown in the example above, then none of the Amazon S3 Block Public Access configuration settings (i.e. BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets) are enabled for the selected S3 bucket. Therefore the public access is not restricted for data protection at the bucket level for the specified S3 bucket.

05 Repeat step no. 3 and 4 to perform the audit process for other Amazon S3 buckets available in your AWS account.

Remediation/Resolution

To enable Amazon S3 Public Access Block feature and restrict public access at the S3 bucket level, perform the following actions:

Note: By default, to comply with the rule configuration, all four settings – BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets need to be activated in order to enable Amazon S3 Public Access Block.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource) to access the bucket configuration settings.

04 Select the Permissions tab from the S3 dashboard top menu to view bucket permissions.

05 On the Permissions panel, under Public access settings for this bucket, click Edit.

06 To enable the feature, select all four configuration settings, i.e.

Amazon S3 Public Access Block

then click Save.

07 Within Edit public access settings for this bucket dialog box, type confirm in the appropriate box, then click Confirm to apply the changes.

08 Repeat steps no. 3 – 7 to enable Amazon S3 Public Access Block for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run put-public-access-block command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure as parameter (see Audit section part II to identify the right resource), to enable and configure the Amazon S3 Public Access Block feature for the specified bucket (the command should not return an output): 

aws s3api put-public-access-block
	--region us-east-1
	--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
	--bucket cc-internal-data

02 Repeat steps no. 1 to enable Amazon S3 Public Access Block for other S3 buckets available within your AWS account.

References

Publication date Jan 27, 2020

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable S3 Block Public Access for S3 Buckets

Risk level: Very High