Rule: S3 Block Public Access Setting Should Be Enabled
This rule ensures that the S3 Block Public Access setting is properly enabled to enhance security measures.
| Rule | S3 Block Public Access setting should be enabled |
| Framework | PCI v3.2.1 |
| Severity | ✔ Medium |
Rule Description:
The S3 Block Public Access setting must be enabled for PCI v3 compliance. This setting ensures that no public access is allowed to any S3 bucket or object within the AWS account associated with PCI v3 regulated data.
Enabling this setting provides an additional layer of security and mitigates the risk of unintentional exposure of sensitive data through misconfigured permissions or accidental public access.
Troubleshooting Steps:
If the S3 Block Public Access setting is not enabled for PCI v3 compliance, you may encounter the following issues:
- 1.Inadvertent public access: There is a risk of inadvertently allowing public access to S3 buckets or objects, which may expose confidential or sensitive data to unauthorized individuals.
- 2.Compliance violations: Failure to enable this setting violates the PCI v3 requirement for securing confidential data.
To troubleshoot and enable the S3 Block Public Access setting, use the following steps:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the S3 service.
- 3.Select the desired S3 bucket(s) that need to be protected.
- 4.Click on the "Permissions" tab.
- 5.Scroll down to the "Block public access (bucket settings)" section.
- 6.Ensure that the "Block all public access" checkbox is selected.
NOTE: By enabling the "Block all public access" setting, all public access to the selected bucket(s) will be blocked, including access through bucket policies and access control lists (ACLs). Make sure to review and validate the configurations to avoid any unintended consequences.
- 1.
Additionally, ensure that the following settings are also enabled:
- "Block public access to buckets and objects granted through new access control lists (ACLs)"
- "Block public access to buckets and objects granted through any public bucket or access point policies"
- "Ignore public ACLs and bucket policies"
- 2.
Once the settings are enabled, click on the "Save changes" button to save the configuration.
Necessary Code:
There is no specific code required to enable the S3 Block Public Access setting as it can be done through the AWS Management Console. However, if you prefer automating this process using AWS CLI or SDKs, you can use the following AWS CLI command:
aws s3api put-public-access-block --bucket <bucket-name> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Replace
<bucket-name>Remediation Steps:
To remediate the S3 Block Public Access setting for PCI v3 compliance, follow these step-by-step instructions:
- 1.Log in to the AWS Management Console.
- 2.Go to the S3 service.
- 3.Identify the S3 bucket(s) that need to be protected for PCI v3 compliance.
- 4.Click on the bucket name to access its properties.
- 5.Select the "Permissions" tab.
- 6.Scroll down to the "Block public access (bucket settings)" section.
- 7.Ensure that the "Block all public access" checkbox is selected.
- 8.Confirm that the following settings are also enabled:
- "Block public access to buckets and objects granted through new access control lists (ACLs)"
- "Block public access to buckets and objects granted through any public bucket or access point policies"
- "Ignore public ACLs and bucket policies"
- 9.Save the changes by clicking the "Save changes" button.
Make sure to review the S3 bucket access and permissions policies regularly to ensure ongoing compliance with PCI v3 regulations.