S3 buckets should have all “block public access” options enabled


S3 buckets should have all block public access options enabled. AWS’s S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings should be enabled to help prevent the risk of a data breach.

Console Remediation Steps

  • Navigate to S3.

  • In the Bucket name list, choose the name of the bucket that you want.

  • Choose Permissions.

  • Choose Edit to change the public access settings for the bucket.

  • Check the box for Block all public access.

  • Click Save.

  • When you’re asked for confirmation, enter confirm. Then choose Confirm to save your changes.

CLI Remediation Steps

To enable all four block public access settings for a bucket:

aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"