Rule: S3 Block Public Access Setting
Ensure S3 Block Public Access setting is enabled at the bucket level.
| Rule | S3 Block Public Access setting should be enabled at the bucket level |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description
The S3 Block Public Access setting should be enabled at the bucket level for AWS Foundational Security Best Practices. This rule is recommended in order to prevent any accidental exposure of sensitive data stored in Amazon S3 buckets to the public internet.
Troubleshooting Steps
If you encounter any issues while enabling the S3 Block Public Access setting, follow the troubleshooting steps below:
- 1.
Permission Errors: Ensure that you have the necessary IAM permissions to modify the bucket settings. Check if you have the
permission in your IAM policy.s3:PutBucketPublicAccessBlock - 2.
Incorrect Bucket Name: Verify that you are specifying the correct bucket name while enabling the Block Public Access setting. Validate the provided bucket name against the existing bucket names in your AWS account.
- 3.
Region Mismatch: Check if the bucket and your AWS CLI configuration are in the same AWS region. The Block Public Access settings are specific to each region, so you may receive errors if there is a mismatch.
Necessary Codes
The following code snippet can be used to enable the S3 Block Public Access setting on a specific bucket:
aws s3api put-public-access-block --bucket <bucket-name> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Step-by-Step Guide for Remediation
Follow the step-by-step guide below to enable the S3 Block Public Access setting at the bucket level:
- 1.
Login to AWS Management Console: Access the AWS Management Console using your credentials.
- 2.
Navigate to S3 Service: Once logged in, search for and select the Amazon S3 service from the available services.
- 3.
Select the Desired Bucket: In the S3 Management Console, locate and click on the bucket for which you want to enable the Block Public Access setting.
- 4.
Access Bucket Properties: In the bucket overview page, click on the "Properties" tab.
- 5.
Enable Block Public Access: Under the "Access control" section, click on the "Edit" button next to the "Block public access" option.
- 6.
Enable Block Public Access Settings: In the "Block public access" configuration, make sure to set all the following settings to "On":
- Block new public ACLs (Access Control Lists)
- Block public bucket policies
- Block public and cross-account access if bucket has public policies
- Restrict public access to buckets and objects within buckets
- 7.
Save Changes: Click on the "Save changes" button to apply the Block Public Access settings to the bucket.
- 8.
Verify the Block Public Access: After saving the changes, validate that the Block Public Access settings have been enabled by checking the status under the "Access control" section.
By following these steps, you can ensure that the S3 Block Public Access setting is enabled at the bucket level, enhancing the security of your AWS resources and preventing any accidental exposure of sensitive data to the public internet.