Detection: S3 Bucket Block Public Access Disabled

Overview

Detect when the block public access setting for an Amazon S3 bucket was disabled. Disabling block public access increases the risk of exposing sensitive data to unauthorized users by allowing public access to the bucket. Monitoring these configurations helps ensure compliance with security best practices and protects data confidentiality.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.s3_bucket_block_public_access_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.s3_bucket_block_public_access_disabled --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'bucketName' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*

from
  aws_cloudtrail_log
where
  event_source = 's3.amazonaws.com'
  and event_name = 'PutBucketPublicAccessBlock'
  and ((request_parameters -> 'PublicAccessBlockConfiguration' -> 'RestrictPublicBuckets') = false
  or (request_parameters -> 'PublicAccessBlockConfiguration' -> 'BlockPublicPolicy') = false
  or (request_parameters -> 'PublicAccessBlockConfiguration' -> 'BlockPublicAcls') = false
  or (request_parameters -> 'PublicAccessBlockConfiguration' -> 'IgnorePublicAcls') = false)
  and error_code is null

order by
  event_time desc;

Detection: S3 Bucket Block Public Access Disabled

Overview

Overview

Usage

SQL

Tags