🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 1 S3 Block Public Access setting should be enabled

Description

The control passes if all of the public access block settings are set to true.

The control fails if any of the settings are set to false, or if any of the settings are not configured. When the settings do not have a value, the AWS Config rule cannot complete its evaluation.

Amazon S3 public access block is designed to provide controls across an entire AWS account or at the individual S3 bucket level to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.

Unless you intend to have your S3 buckets be publicly accessible, you should configure the account level Amazon S3 Block Public Access feature.

Remediation

To remediate this issue, enable Amazon S3 Block Public Access.

To enable Amazon S3 Block Public Access

  1. Open the Amazon S3 console.
  2. Choose Block public access (account settings).
  3. Choose Edit.
  4. Select Block all public access.
  5. Choose Save changes.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_s3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_s3_1 --share

SQL

This control uses a named query:

select
  'arn' || ':' || 'aws' || ':::' || account_id as resource,
  case
    when block_public_acls
      and block_public_policy
      and ignore_public_acls
      and restrict_public_buckets
      then 'ok'
    else 'alarm'
  end as status,
  case
    when block_public_acls
      and block_public_policy
      and ignore_public_acls
      and restrict_public_buckets
      then 'Account level public access blocks enabled.'
    else 'Account level public access blocks not enabled for: ' ||
      concat_ws(', ',
        case when not (block_public_acls ) then 'block_public_acls' end,
        case when not (block_public_policy) then 'block_public_policy' end,
        case when not (ignore_public_acls ) then 'ignore_public_acls' end,
        case when not (restrict_public_buckets) then 'restrict_public_buckets' end
      ) || '.'
  end as reason
  , account_id
from
  aws_s3_account_settings;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = s3_1
plugin = aws
service = AWS/S3