Ensure that Amazon S3 Block Public Access feature is enabled for your S3 buckets to restrict public access to all objects available within these buckets, including those that you upload in the future. In order to enable Amazon S3 Block Public Access for your S3 buckets, you must turn on the following settings:
1. Block new public ACLs and uploading public objects (BlockPublicAcls) – this setting disallows the use of new public buckets or object Access Control Lists (ACLs) and it is usually used to ensure that future PUT requests that include them will fail. Enable this setting to protect against future attempts to use ACLs to make S3 buckets or objects publicly available.
2. Remove public access granted through public ACLs (IgnorePublicAcls) – this setting instructs the S3 service to stop evaluating any public ACL when authorizing a request, ensuring that no bucket or object can be made public by using Access Control Lists (ACLs). This option overrides any current or future public access settings for current and future objects in the configured S3 bucket.
3. Block new public bucket policies (BlockPublicPolicy) – this option disallows the use of new public bucket policies. This setting ensures that an S3 bucket policies cannot be updated to grant public access.
4. Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets) – once this option is enabled, the access to those S3 buckets that are publicly accessible will be limited to the bucket owner and to AWS services. This setting can be used to protect S3 buckets that have public policies while you work to remove the policies. By default, this conformity rule checks for all four settings (as recommended by AWS) in order to determine whether the feature is enabled for the specified bucket. However, you can customize the rule configuration by enabling/disabling these settings within your Cloud Conformity account.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
By enabling this feature at the Amazon S3 bucket level, the bucket owners can easily set up centralized controls to limit public access to their S3 data. With Amazon S3 Block Public Access, you have the tools to make sure that you don't make your S3 buckets publicly accessible due to a simple configuration mistake or a misunderstanding.
Audit
To determine if Amazon S3 public access is blocked at the bucket level for specific S3 buckets, perform the following actions:
Remediation/Resolution
To enable S3 Block Public Access feature for your existing Amazon S3 buckets and restrict public access at the S3 bucket level, perform the following operations:
Note: To comply with the conformity rule default configuration, all four configuration settings need to be activated in order to enable S3 Block Public Access feature.References
- AWS Documentation
- Amazon S3 Frequently Asked Questions
- How Do I Block Public Access to S3 Buckets?
- Using Amazon S3 Block Public Access
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-public-access-block
- put-public-access-block
- AWS Blog(s)
- Amazon S3 Block Public Access – Another Layer of Protection for Your Accounts and Buckets
- CloudFormation Documentation
- AWS::S3::Bucket PublicAccessBlockConfiguration
- Terraform Documentation
- AWS Provider