Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable S3 Block Public Access for AWS Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: S3-027

Ensure that Amazon S3 Block Public Access feature is enabled at your AWS account level to restrict public access to all your S3 buckets, including those that you create in the future. This feature has the ability to override existing policies and permissions in order to block S3 public access and to make sure that this type of access is not granted to newly created buckets and objects. When configuring Amazon S3 Block Public Access, you have two options for managing public ACLs and two for managing public bucket policies:

  1. Manage public Access Control Lists (ACLs):
    • Block public access to buckets and objects granted through new access control lists (ACLs).
    • Block public access to buckets and objects granted through any access control lists (ACLs).
  2. Manage public S3 bucket policies:
    • Block public access to buckets and objects granted through new public bucket or access point policies.
    • Block public and cross-account access to buckets and objects through any public bucket or access point policies.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Unless Amazon S3 service is used for web hosting or public data repositories within your AWS cloud account, blocking public access to all your S3 data will serve as an account-level guard against accidental public exposure. We strongly recommend that you use Amazon S3 Block Public Access feature for any AWS account that is used for internal applications.


Audit

To determine if Amazon S3 public access is blocked at the AWS account level, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 In the left navigation panel, choose Block Public Access settings for account.

04 On the Block Public Access settings for account page, check the configuration status of each option available under Block all public access. If the configuration status for all the feature options, i.e. Block public access to buckets and objects granted through new access control lists (ACLs), Block public access to buckets and objects granted through any access control lists (ACLs), Block public access to buckets and objects granted through new public bucket or access point policies ,and Block public and cross-account access to buckets and objects through any public bucket or access point policies , is set to Off , the S3 Block Public Access feature is not enabled in your AWS cloud account, therefore the Amazon S3 public access is not disabled for data protection at the AWS account level.

05 Repeat steps no. 1 – 4 to determine the S3 Block Public Access feature configuration for other AWS cloud accounts.

Using AWS CLI

01 Run get-public-access-block command (OSX/Linux/UNIX) using the account ID as the identifier parameter to describe the S3 Block Public Access feature configuration for your AWS account:

aws s3control get-public-access-block
  --region us-east-1
  --account-id 123456789012

02 The command output should return the requested feature configuration information:

An error occurred (NoSuchPublicAccessBlockConfiguration) when calling the GetPublicAccessBlock operation: The public access block configuration was not found.

If the get-public-access-block command output returns the "NoSuchPublicAccessBlockConfiguration" error message, as shown in the example above, all the Amazon S3 Block Public Access configuration options (i.e. Block public access to buckets and objects granted through new access control lists (ACLs), Block public access to buckets and objects granted through any access control lists (ACLs), Block public access to buckets and objects granted through new public bucket or access point policies, and Block public and cross-account access to buckets and objects through any public bucket or access point policies) are disabled within your AWS cloud account, therefore the Amazon S3 public access is not restricted for data protection at the AWS account level.

03 Repeat steps no. 1 and 2 to determine the S3 Block Public Access feature configuration for other AWS cloud accounts.

Remediation/Resolution

To enable S3 Block Public Access feature and deny all Amazon S3 public access at your AWS account level, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable S3 Block Public Access for AWS Accounts",
	"Resources": {
		"S3BlockPublicAccess": {
			"Type": "AWS::S3::AccountPublicAccessBlock",
			"Properties": {
				"BucketName": "cc-logging-data",
				"PublicAccessBlockConfiguration": {
					"BlockPublicAcls": true,
					"IgnorePublicAcls": true,
					"BlockPublicPolicy": true,
					"RestrictPublicBuckets": true
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable S3 Block Public Access for AWS Accounts
	Resources:
	S3BlockPublicAccess:
		Type: AWS::S3::AccountPublicAccessBlock
		Properties:
		BucketName: cc-logging-data
		PublicAccessBlockConfiguration:
			BlockPublicAcls: true
			IgnorePublicAcls: true
			BlockPublicPolicy: true
			RestrictPublicBuckets: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}

		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	# Enable S3 Block Public Access for AWS Accounts
	resource "aws_s3_account_public_access_block" "s3-block-public-access" {
		block_public_acls = true
		block_public_policy = true
		ignore_public_acls = true
		restrict_public_buckets = true
	}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 In the navigation panel, choose Block Public Access settings for account to access thefeature configuration page.

04 On the Block Public Access settings for account page, choose Edit to modify the feature configuration.

05 To enable the S3 Block Public Access security feature, select the Block all public access checkbox to activate all feature options, and choose Save changes. These access options are applied to all your existing Amazon S3 buckets and also to those that you create in the future.

06 Within Edit Block Public Access settings for account dialog box, type confirm in the required box, then choose Confirm to apply the changes.

07 Repeat steps no. 1 – 6 to restrict Amazon S3 public access for other Amazon Web Services (AWS) accounts.

Using AWS CLI

01 Run put-public-access-block command (OSX/Linux/UNIX) with the AWS account ID as the identifier parameter, to enable and configure the Amazon S3 Block Public Access feature for your AWS cloud account. This access configuration is applied to all your existing Amazon S3 buckets and to those that you create in the future (the command does not produce an output):

aws s3control put-public-access-block
  --region us-east-1
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
  --account-id 123456789012

02 Repeat step no. 1 to restrict Amazon S3 public access for other Amazon Web Services (AWS) accounts.

References

Publication date Feb 3, 2020