S3 buckets should have all “block public access” options enabled¶

Description¶

S3 buckets should have all block public access options enabled. AWS’s S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings should be enabled to help prevent the risk of a data breach.

Remediation Steps¶

AWS Console¶

Navigate to S3.
In the Bucket name list, choose the name of the bucket that you want.
Choose Permissions.
Choose Edit to change the public access settings for the bucket.
Check the box for Block all public access.
Click Save.
When you’re asked for confirmation, enter confirm. Then choose Confirm to save your changes.

AWS CLI¶

To enable all four block public access settings for a bucket:

aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Terraform¶

Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block bucket field and that all of the following aws_s3_bucket_public_access_block fields are set to true:
- block_public_acls
- block_public_policy
- ignore_public_acls
- restrict_public_buckets

Example Configuration¶

resource "aws_s3_bucket" "private" {
  acl           = "private"
  # other required fields here
}

resource "aws_s3_bucket_public_access_block" "private" {
  bucket                  = "${aws_s3_bucket.private.id}"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

S3 buckets should have all “block public access” options enabled¶

Description¶

Remediation Steps¶

AWS Console¶

AWS CLI¶

Terraform¶

Example Configuration¶

Documentation Links¶

AWS Console and CLI¶

Terraform¶