Control: 8 S3 Block Public Access setting should be enabled at the bucket level

Description

This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails if any bucket level public access settings are set to false.

Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.

Remediation

For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_s3_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_s3_8 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when block_public_acls
      and block_public_policy
      and ignore_public_acls
      and restrict_public_buckets
      then 'ok'
    else 'alarm'
  end as status,
  case
    when block_public_acls
      and block_public_policy
      and ignore_public_acls
      and restrict_public_buckets
      then name || ' all public access blocks enabled.'
    else name || ' not enabled for: ' ||
      concat_ws(', ',
        case when not block_public_acls then 'block_public_acls' end,
        case when not block_public_policy then 'block_public_policy' end,
        case when not ignore_public_acls then 'ignore_public_acls' end,
        case when not restrict_public_buckets then 'restrict_public_buckets' end
      ) || '.'
  end as reason
  
  , region, account_id
from
  aws_s3_bucket;

Control: 8 S3 Block Public Access setting should be enabled at the bucket level

Description

Remediation

Usage

SQL

Tags