Enable S3 Block Public Access for S3 Buckets
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial
Ensure that Amazon S3 Block Public Access feature is enabled at your S3 buckets level to restrict public access to all objects available within these buckets, including those that you upload in the future. In order to enable Amazon S3 Block Public Access for your S3 buckets, you must turn on the following settings:
1. Block new public ACLs and uploading public objects (BlockPublicAcls) – this setting disallows the use of new public buckets or object Access Control Lists (ACLs) and it is usually used to ensure that future PUT requests that include them will fail. Enable this setting to protect against future attempts to use ACLs to make S3 buckets or objects publicly available.
2. Remove public access granted through public ACLs (IgnorePublicAcls) – this setting instructs the S3 service to stop evaluating any public ACL when authorizing a request, ensuring that no bucket or object can be made public by using Access Control Lists (ACLs). This option overrides any current or future public access settings for current and future objects in the configured S3 bucket.
3. Block new public bucket policies (BlockPublicPolicy) – this option disallows the use of new public bucket policies. This setting ensures that an S3 bucket policies cannot be updated to grant public access.
4. Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets) – once this option is enabled, the access to those S3 buckets that are publicly accessible will be limited to the bucket owner and to AWS services. This setting can be used to protect S3 buckets that have public policies while you work to remove the policies. By default, this conformity rule checks for all four settings (as recommended by AWS) in order to determine whether the feature is enabled for the specified bucket. However, you can customize the rule configuration by enabling/disabling these settings within your Cloud Conformity account.
By enabling this feature at the Amazon S3 bucket level, the bucket owners can easily set up centralized controls to limit public access to their S3 data. With Amazon S3 Block Public Access, you have the tools to make sure that you don't make your S3 buckets publicly accessible due to a simple configuration mistake or a misunderstanding.
To determine if Amazon S3 public access is blocked at the bucket level for specific S3 buckets, perform the following actions:
To enable Amazon S3 Public Access Block feature and restrict public access at the S3 bucket level, perform the following actions:
Note: By default, to comply with the rule configuration, all four settings – BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets need to be activated in order to enable Amazon S3 Public Access Block.01 Sign in to AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource) to access the bucket configuration settings.
04 Select the Permissions tab from the S3 dashboard top menu to view bucket permissions.
05 On the Permissions panel, under Public access settings for this bucket, click Edit.
06 To enable the feature, select all four configuration settings, i.e.
then click Save.
07 Within Edit public access settings for this bucket dialog box, type confirm in the appropriate box, then click Confirm to apply the changes.
08 Repeat steps no. 3 – 7 to enable Amazon S3 Public Access Block for other S3 buckets available in your AWS account.