Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable S3 Block Public Access for S3 Buckets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: S3-026

Ensure that Amazon S3 Block Public Access feature is enabled for your S3 buckets to restrict public access to all objects available within these buckets, including those that you upload in the future. In order to enable Amazon S3 Block Public Access for your S3 buckets, you must turn on the following settings:
1. Block new public ACLs and uploading public objects (BlockPublicAcls) – this setting disallows the use of new public buckets or object Access Control Lists (ACLs) and it is usually used to ensure that future PUT requests that include them will fail. Enable this setting to protect against future attempts to use ACLs to make S3 buckets or objects publicly available.

2. Remove public access granted through public ACLs (IgnorePublicAcls) – this setting instructs the S3 service to stop evaluating any public ACL when authorizing a request, ensuring that no bucket or object can be made public by using Access Control Lists (ACLs). This option overrides any current or future public access settings for current and future objects in the configured S3 bucket.

3. Block new public bucket policies (BlockPublicPolicy) – this option disallows the use of new public bucket policies. This setting ensures that an S3 bucket policies cannot be updated to grant public access.

4. Block public and cross-account access to buckets that have public policies (RestrictPublicBuckets) – once this option is enabled, the access to those S3 buckets that are publicly accessible will be limited to the bucket owner and to AWS services. This setting can be used to protect S3 buckets that have public policies while you work to remove the policies. By default, this conformity rule checks for all four settings (as recommended by AWS) in order to determine whether the feature is enabled for the specified bucket. However, you can customize the rule configuration by enabling/disabling these settings within your Cloud Conformity account.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

By enabling this feature at the Amazon S3 bucket level, the bucket owners can easily set up centralized controls to limit public access to their S3 data. With Amazon S3 Block Public Access, you have the tools to make sure that you don't make your S3 buckets publicly accessible due to a simple configuration mistake or a misunderstanding.


Audit

To determine if Amazon S3 public access is blocked at the bucket level for specific S3 buckets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Block public access (bucket settings) section, check the configuration status of each setting available under Block all public access. If the configuration status for all four settings, i.e. Block public access to buckets and objects granted through new access control lists (ACLs), Block public access to buckets and objects granted through any access control lists (ACLs), Block public access to buckets and objects granted through new public bucket or access point policies, and Block public and cross-account access to buckets and objects through any public bucket or access point policies, is set to Off, the S3 Block Public Access feature is not enabled for the selected Amazon S3 bucket, therefore the Amazon S3 public access is not restricted for data protection at the bucket level.

06 Repeat steps no. 3 – 5 to determine the S3 Block Public Access feature configuration for other Amazon S3 buckets available within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
    "cc-internal-data",
    "cc-project5-logs"
]

03 Run get-public-access-block command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter to return the S3 Block Public Access feature configuration available for the selected S3 bucket:

aws s3api get-public-access-block
  --bucket cc-internal-data
  --query 'PublicAccessBlockConfiguration'

04 The command output should return the requested configuration information:

  1. If the feature was never enabled on the selected bucket, the get-public-access-block command output returns the "NoSuchPublicAccessBlockConfiguration" error message, i.e.:
    An error occurred (NoSuchPublicAccessBlockConfiguration) when calling the GetPublicAccessBlock operation: The public
    access block configuration was not found.
    
  2. If the S3 Block Public Access feature is not currently enabled for the selected Amazon S3 bucket, the get-public-access-block command output returns false for each supported setting, as shown in the output example below:
    {
      "BlockPublicAcls": false,
      "IgnorePublicAcls": false,
      "BlockPublicPolicy": false,
      "RestrictPublicBuckets": false
    }
    

05 Repeat steps no. 3 and 4 to determine the S3 Block Public Access feature configuration for other Amazon S3 buckets available in your AWS cloud account.

Remediation/Resolution

To enable S3 Block Public Access feature for your existing Amazon S3 buckets and restrict public access at the S3 bucket level, perform the following operations:

Note: To comply with the conformity rule default configuration, all four configuration settings need to be activated in order to enable S3 Block Public Access feature.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable S3 Block Public Access",
  "Resources": {
    "SecureS3Bucket": {
      "Properties": {
        "BucketName": "cc-internal-data",
        "PublicAccessBlockConfiguration": {
          "BlockPublicAcls": true,
          "IgnorePublicAcls": true,
          "BlockPublicPolicy": true,
          "RestrictPublicBuckets": true
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable S3 Block Public Access
Resources:
  SecureS3Bucket:
    Properties:
      BucketName: cc-internal-data
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
    Type: 'AWS::S3::Bucket'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket_public_access_block" "private-bucket" {
  bucket = "cc-internal-data"
  block_public_acls = true
  ignore_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Permissions tab from the S3 console menu to access the bucket permissions.

05 In the Block public access (bucket settings) section, choose Edit to modify the feature configuration.

06 To enable the S3 Block Public Access feature, select the Block all public access checkbox to activate all feature settings (options), and choose Save changes.

07 In the Edit Block public access (bucket settings) dialog box, type confirm in the appropriate box, then choose Confirm to apply the configuration changes.

08 Repeat steps no. 3 – 7 to enable S3 Block Public Access feature for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Run put-public-access-block command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right resource), to enable and configure the S3 Block Public Access feature for the specified S3 bucket (the command should not return an output):

aws s3api put-public-access-block
  --region us-east-1
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
  --bucket cc-internal-data

02 Repeat step no. 1 to enable S3 Block Public Access feature for other Amazon S3 buckets available within your AWS cloud account.

References

Publication date Jan 27, 2020