S3 buckets should have all “block public access” options enabled¶
Description¶
S3 buckets should have all block public access options enabled. AWS’s S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings should be enabled to help prevent the risk of a data breach.
Remediation Steps¶
AWS Console¶
To enable block public access settings at the bucket level:
Navigate to S3.
In the Bucket name list, choose the name of the bucket that you want.
Choose Permissions.
Choose Edit to change the public access settings for the bucket.
Check the box for Block all public access.
Click Save.
When you’re asked for confirmation, enter
confirm. Then choose Confirm to save your changes.
To enable block public access settings at the account level:
Navigate to S3.
In the left navigation, select Block Public Access settings for this account.
Choose Edit to change the block public access settings for all the buckets in your AWS account.
Choose the settings that you want to change, and then choose Save changes.
When you’re asked for confirmation, enter
confirm. Then choose Confirm to save your changes.
AWS CLI¶
To enable block public access settings at the bucket level:
aws s3api put-public-access-block \
--bucket fugue-bucket-example \
--public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
To enable block public access settings at the account level:
aws s3control put-public-access-block \
--account-id 123456789012 \
--public-access-block-configuration '{"BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true}'
CloudFormation¶
Block public access settings currently cannot be enabled at the account level in CloudFormation. Enable these settings for each bucket instead.
JSON¶
Ensure that AWS::S3::Bucket contains the following:
{
"Properties" : {
"BucketName" : "Example-Bucket-Name",
"PublicAccessBlockConfiguration" : {
"BlockPublicAcls" : true,
"BlockPublicPolicy" : true,
"IgnorePublicAcls" : true,
"RestrictPublicBuckets" : true
}
}
}
JSON Example Configuration¶
{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : "Example-Bucket-Name",
"PublicAccessBlockConfiguration" : {
"BlockPublicAcls" : true,
"BlockPublicPolicy" : true,
"IgnorePublicAcls" : true,
"RestrictPublicBuckets" : true
}
}
# other required fields here
}
YAML¶
Ensure that AWS::S3::Bucket contains the following:
Properties:
BucketName: Example-Bucket-Name
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
YAML Example Configuration¶
Type: 'AWS::S3::Bucket'
Properties:
BucketName: Example-Bucket-Name
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
# other required fields here
Terraform¶
To enable block public access settings at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block
bucketfield and that all of the following aws_s3_bucket_public_access_block fields are set totrue:block_public_aclsblock_public_policyignore_public_aclsrestrict_public_buckets
To enable block public access settings at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to
true:block_public_aclsblock_public_policyignore_public_aclsrestrict_public_buckets
Example Configuration¶
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = "${aws_s3_bucket.private.id}"
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}