🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 24 S3 Multi-Region Access Points should have block public access settings enabled

Description

This control checks whether an Amazon S3 Multi-Region Access Point has block public access settings enabled. The control fails when the Multi-Region Access Point doesn't have block public access settings enabled.

Publicly accessible resources can be lead to unauthorized access, data breaches, or exploitation of vulnerabilities. Restricting access through authentication and authorization measures helps to safeguard sensitive information and maintain the integrity of your resources.

Remediation

By default, all Block Public Access settings are enabled for an S3 Multi-Region Access Point. For more information , see Blocking public access with Amazon S3 Multi-Region Access Points in the Amazon Simple Storage Service User Guide. You can't change the Block Public Access settings for a Multi-Region Access Point after it has been created.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_s3_24

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_s3_24 --share

SQL

This control uses a named query:

select
  'arn:' || partition || ':s3::' || account_id || ':accesspoint/' || alias as resource,
  case
    when (public_access_block -> 'BlockPublicAcls')::bool
      and (public_access_block -> 'BlockPublicPolicy')::bool
      and (public_access_block -> 'IgnorePublicAcls')::bool
      and (public_access_block -> 'RestrictPublicBuckets')::bool
      then 'ok'
    else 'alarm'
  end as status,
  case
    when (public_access_block -> 'BlockPublicAcls')::bool
      and (public_access_block -> 'BlockPublicPolicy')::bool
      and (public_access_block -> 'IgnorePublicAcls')::bool
      and (public_access_block -> 'RestrictPublicBuckets')::bool
      then title || ' block public access settings enabled.'
    else title || ' public access settings not enabled for: ' ||
      concat_ws(', ',
        case when not (public_access_block -> 'BlockPublicAcls')::bool then 'BlockPublicAcls' end,
        case when not (public_access_block -> 'BlockPublicPolicy')::bool then 'BlockPublicPolicy' end,
        case when not (public_access_block -> 'IgnorePublicAcls')::bool then 'IgnorePublicAcls' end,
        case when not (public_access_block -> 'RestrictPublicBuckets')::bool then 'RestrictPublicBuckets' end
      ) || '.'
  end as reason
  , account_id
from
  aws_s3_multi_region_access_point;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resources_not_publicly_accessible
foundational_security_item_id = s3_24
plugin = aws
service = AWS/S3