S3 buckets should have all “block public access” options enabled

Description

S3 buckets should have all block public access options enabled. AWS’s S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings should be enabled to help prevent the risk of a data breach.

Console Remediation Steps

• Navigate to S3.

• In the Bucket name list, choose the name of the bucket that you want.

• Choose Permissions.

• Choose Edit to change the public access settings for the bucket.

• Check the box for Block all public access.

• Click Save.

• When you’re asked for confirmation, enter confirm. Then choose Confirm to save your changes.

CLI Remediation Steps

To enable all four block public access settings for a bucket:

aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Documentation Links

• Using Amazon S3 Block Public Access

• How Do I Edit Public Access Settings for S3 Buckets? (Console)

• put-public-access-block (CLI)