Control: 24 S3 Multi-Region Access Points should have block public access settings enabled
Description
This control checks whether an Amazon S3 Multi-Region Access Point has block public access settings enabled. The control fails when the Multi-Region Access Point doesn't have block public access settings enabled.
Publicly accessible resources can be lead to unauthorized access, data breaches, or exploitation of vulnerabilities. Restricting access through authentication and authorization measures helps to safeguard sensitive information and maintain the integrity of your resources.
Remediation
By default, all Block Public Access settings are enabled for an S3 Multi-Region Access Point. For more information , see Blocking public access with Amazon S3 Multi-Region Access Points in the Amazon Simple Storage Service User Guide. You can't change the Block Public Access settings for a Multi-Region Access Point after it has been created.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_s3_24
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_s3_24 --share
SQL
This control uses a named query:
select 'arn:' || partition || ':s3::' || account_id || ':accesspoint/' || alias as resource, case when (public_access_block -> 'BlockPublicAcls')::bool and (public_access_block -> 'BlockPublicPolicy')::bool and (public_access_block -> 'IgnorePublicAcls')::bool and (public_access_block -> 'RestrictPublicBuckets')::bool then 'ok' else 'alarm' end as status, case when (public_access_block -> 'BlockPublicAcls')::bool and (public_access_block -> 'BlockPublicPolicy')::bool and (public_access_block -> 'IgnorePublicAcls')::bool and (public_access_block -> 'RestrictPublicBuckets')::bool then title || ' block public access settings enabled.' else title || ' public access settings not enabled for: ' || concat_ws(', ', case when not (public_access_block -> 'BlockPublicAcls')::bool then 'BlockPublicAcls' end, case when not (public_access_block -> 'BlockPublicPolicy')::bool then 'BlockPublicPolicy' end, case when not (public_access_block -> 'IgnorePublicAcls')::bool then 'IgnorePublicAcls' end, case when not (public_access_block -> 'RestrictPublicBuckets')::bool then 'RestrictPublicBuckets' end ) || '.' end as reason , account_idfrom aws_s3_multi_region_access_point;