Ensure that Amazon S3 Block Public Access feature is enabled at your AWS account level to restrict public access to all your S3 buckets, including those that you create in the future. This feature has the ability to override existing policies and permissions in order to block S3 public access and to make sure that this type of access is not granted to newly created buckets and objects. When configuring Amazon S3 Block Public Access, you have two options for managing public ACLs and two for managing public bucket policies:
- Manage public Access Control Lists (ACLs):
- Block public access to buckets and objects granted through new access control lists (ACLs).
- Block public access to buckets and objects granted through any access control lists (ACLs).
- Manage public S3 bucket policies:
- Block public access to buckets and objects granted through new public bucket or access point policies.
- Block public and cross-account access to buckets and objects through any public bucket or access point policies.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Unless Amazon S3 service is used for web hosting or public data repositories within your AWS cloud account, blocking public access to all your S3 data will serve as an account-level guard against accidental public exposure. We strongly recommend that you use Amazon S3 Block Public Access feature for any AWS account that is used for internal applications.
Audit
To determine if Amazon S3 public access is blocked at the AWS account level, perform the following actions:
Remediation/Resolution
To enable S3 Block Public Access feature and deny all Amazon S3 public access at your AWS account level, perform the following actions:
References
- AWS Documentation
- Amazon S3 FAQs
- How Do I Block Public Access to S3 Buckets?
- Using Amazon S3 Block Public Access
- AWS Command Line Interface (CLI) Documentation
- s3api
- get-public-access-block
- put-public-access-block
- AWS Blog(s)
- Amazon S3 Block Public Access – Another Layer of Protection for Your Accounts and Buckets
- CloudFormation Documentation
- Amazon Simple Storage Service resource type reference
- Terraform Documentation
- AWS Provider