S3 buckets should have all “block public access” options enabled

Description

S3 buckets should have all block public access options enabled. AWS’s S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings should be enabled to help prevent the risk of a data breach.

Remediation Steps

AWS Console

To enable block public access settings at the bucket level:

  • Navigate to S3.

  • In the Bucket name list, choose the name of the bucket that you want.

  • Choose Permissions.

  • Choose Edit to change the public access settings for the bucket.

  • Check the box for Block all public access.

  • Click Save.

  • When you’re asked for confirmation, enter confirm. Then choose Confirm to save your changes.

To enable block public access settings at the account level:

  • Navigate to S3.

  • In the left navigation, select Block Public Access settings for this account.

  • Choose Edit to change the block public access settings for all the buckets in your AWS account.

  • Choose the settings that you want to change, and then choose Save changes.

  • When you’re asked for confirmation, enter confirm. Then choose Confirm to save your changes.

AWS CLI

To enable block public access settings at the bucket level:

aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

To enable block public access settings at the account level:

aws s3control put-public-access-block \
    --account-id 123456789012 \
    --public-access-block-configuration '{"BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true}'

CloudFormation

Block public access settings currently cannot be enabled at the account level in CloudFormation. Enable these settings for each bucket instead.

JSON

{
  "Properties" : {
    "BucketName" : "Example-Bucket-Name",
    "PublicAccessBlockConfiguration" : {
    "BlockPublicAcls" : true,
    "BlockPublicPolicy" : true,
    "IgnorePublicAcls" : true,
    "RestrictPublicBuckets" : true
    }
  }
}
JSON Example Configuration
{
  "Type" : "AWS::S3::Bucket",
  "Properties" : {
    "BucketName" : "Example-Bucket-Name",
    "PublicAccessBlockConfiguration" : {
    "BlockPublicAcls" : true,
    "BlockPublicPolicy" : true,
    "IgnorePublicAcls" : true,
    "RestrictPublicBuckets" : true
      }
    }
  # other required fields here
}

YAML

Properties:
  BucketName: Example-Bucket-Name
  PublicAccessBlockConfiguration:
    BlockPublicAcls: true
    BlockPublicPolicy: true
    IgnorePublicAcls: true
    RestrictPublicBuckets: true
YAML Example Configuration
Type: 'AWS::S3::Bucket'
Properties:
  BucketName: Example-Bucket-Name
  PublicAccessBlockConfiguration:
    BlockPublicAcls: true
    BlockPublicPolicy: true
    IgnorePublicAcls: true
    RestrictPublicBuckets: true
# other required fields here

Terraform

To enable block public access settings at the bucket level:

To enable block public access settings at the account level:

  • Ensure that all of the following aws_s3_account_public_access_block fields are set to true:

    • block_public_acls

    • block_public_policy

    • ignore_public_acls

    • restrict_public_buckets

Example Configuration

# Enable for a single bucket
resource "aws_s3_bucket" "private" {
  acl           = "private"
  # other required fields here
}

resource "aws_s3_bucket_public_access_block" "private" {
  bucket                  = "${aws_s3_bucket.private.id}"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}