S3 buckets should have all “block public access” options enabled

Description

S3 buckets should have all block public access options enabled. AWS’s S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings should be enabled to help prevent the risk of a data breach.

Remediation Steps

AWS Console

  • Navigate to S3.

  • In the Bucket name list, choose the name of the bucket that you want.

  • Choose Permissions.

  • Choose Edit to change the public access settings for the bucket.

  • Check the box for Block all public access.

  • Click Save.

  • When you’re asked for confirmation, enter confirm. Then choose Confirm to save your changes.

AWS CLI

To enable all four block public access settings for a bucket:

aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Terraform

Example Configuration

resource "aws_s3_bucket" "private" {
  acl           = "private"
  # other required fields here
}

resource "aws_s3_bucket_public_access_block" "private" {
  bucket                  = "${aws_s3_bucket.private.id}"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}