Control: 3.1.4 Ensure that S3 is configured with 'Block Public Access' enabled
Description
Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket and its contained objects from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets and their contained objects from becoming publicly accessible across the entire account.
Remediation
If utilizing Block Public Access (bucket settings)
From Console:
- Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/.
- Select the check box next to a bucket.
- Click 'Edit public access settings'.
- Click 'Block all public access'
- Repeat for all the buckets in your AWS account that contain sensitive data
From Command Line:
- List all of the S3 buckets:
aws s3 ls
- Enable Block Public Access on a specific bucket:
aws s3api put-public-access-block --bucket <bucket-name> --public-accessblock-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
If utilizing Block Public Access (account settings)
From Console:
If the output reads true for the separate configuration settings, then Block Public Access is enabled on the account.
- Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/.
- Click
Block Public Access (account settings). - Click
Editto change the block public access settings for all the buckets in your AWS account. - Update the settings and click Save. For details about each setting, pause on the
iicons. - When you're asked for confirmation, enter
confirm. Then clickConfirmto save your changes.
From Command Line:
To enable Block Public Access for this account, run the following command:
aws s3api put-public-access-block --bucket <bucket-name> --public-accessblock-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Default Value:
By default, new S3 buckets and objects are created with public access disabled, but the Block Public Access settings (at the bucket or account level) are not enforced. They must be explicitly enabled to prevent future public access changes.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_3_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_3_1_4 --shareSQL
This control uses a named query:
select arn as resource, case when (bucket.block_public_acls or s3account.block_public_acls) and (bucket.block_public_policy or s3account.block_public_policy) and (bucket.ignore_public_acls or s3account.ignore_public_acls) and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'ok' else 'alarm' end as status, case when (bucket.block_public_acls or s3account.block_public_acls) and (bucket.block_public_policy or s3account.block_public_policy) and (bucket.ignore_public_acls or s3account.ignore_public_acls) and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then name || ' all public access blocks enabled.' else name || ' not enabled for: ' || concat_ws(', ', case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end, case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end, case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end, case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end ) || '.' end as reason , bucket.region, bucket.account_idfrom aws_s3_bucket as bucket, aws_s3_account_settings as s3accountwhere s3account.account_id = bucket.account_id;