Control: S3 public access should be blocked at account and bucket levels
Description
Manage access to resources in the AWS Cloud by ensuring that AWS Simple Storage Service (AWS S3) buckets cannot be publicly accessed.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.s3_public_access_block_bucket_accountSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.s3_public_access_block_bucket_account --shareSQL
This control uses a named query:
select arn as resource, case when (bucket.block_public_acls or s3account.block_public_acls) and (bucket.block_public_policy or s3account.block_public_policy) and (bucket.ignore_public_acls or s3account.ignore_public_acls) and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'ok' else 'alarm' end as status, case when (bucket.block_public_acls or s3account.block_public_acls) and (bucket.block_public_policy or s3account.block_public_policy) and (bucket.ignore_public_acls or s3account.ignore_public_acls) and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then name || ' all public access blocks enabled.' else name || ' not enabled for: ' || concat_ws(', ', case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end, case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end, case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end, case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end ) || '.' end as reason , bucket.region, bucket.account_idfrom aws_s3_bucket as bucket, aws_s3_account_settings as s3accountwhere s3account.account_id = bucket.account_id;