Description:
The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. S3 Block Public Access settings override these policies and permissions so that you can limit public access to these resources.
Rationale:
S3 Block Public Access, account administrators, and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created.
When Amazon S3 receives a request to access a bucket or an object, it determines whether the bucket or the bucket owner's account has a block public access setting applied. If the request was made through an access point, Amazon S3 also checks for block public access settings for the access point. If there is an existing block public access setting that prohibits the requested access, Amazon S3 rejects the request.
Impact:
You can access your bucket using the Amazon S3 console. Using the console UI, you can perform almost all bucket operations without having to write any code. If you access a bucket programmatically, Amazon S3 supports RESTful architecture in which your buckets and objects are resources, each with a resource URI that uniquely identifies the resource.
Amazon S3 supports both virtual-hosted–style and path-style URLs to access a bucket. Because buckets can be accessed using path-style and virtual-hosted–style URLs, we recommend that you create buckets with DNS-compliant bucket names.
Default value:
When you create or select any S3 bucket the default value will be. Default encryption works with all existing and new Amazon S3 buckets. Without default encryption, to encrypt all objects stored in a bucket, you must include encryption information with every object storage request. You must also set up an Amazon S3 bucket policy to reject storage requests that don't include encryption information.
Audit:
- Sign in to the AWS Management Console and open the Amazon S3 console at
https://us-east-2.console.aws.amazon.com/ec2/v2/home - Click on the services.
- Click on the S3 storage.
- Create a bucket or check your existing S3 buckets.
Remediation:
Pre-Requisite:
S3 Block Public Access provides four settings. These settings are independent and can be used in any combination. Each setting can be applied to an access point, a bucket, or an entire AWS account.
If the block public access settings for the access point, bucket, or account differ, then Amazon S3 applies the most restrictive combination of the access point, bucket, and account settings. You can enable block public access settings only for access points, buckets, and AWS accounts.
S3 doesn't support block public access settings on a per-object basis. When you apply block public access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.
Implementation:
- Sign in to the AWS Management Console and open the Amazon S3 console at
https://us-east-2.console.aws.amazon.com/ec2/v2/home - Click on the services.
- Click on the S3 storage.
- Click on the create bucket and access the settings.
- Enable block public access on the Amazon S3 console:
Amazon S3 Block Public Access provides four settings. You can apply these settings in any combination to individual access points, buckets, or entire AWS accounts. The following image shows how to enable block public access on the Amazon S3 console for your account.
Note:
An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. This means that after a bucket is created, the name of that bucket cannot be used by another AWS account in any AWS Region until the bucket is deleted. You should not depend on specific bucket naming conventions for availability or security verification purposes.
CLI Remediation:
The following put-public-access-block example toggles all block public access settings to true for the specified account.
aws s3control put-public-access-block \ --account-id 123456789012 \ --public-access-block-configuration '{"BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true}'
References:
- https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html
- 164.312(a)(2)(ii) - Access Control - Emergency Access Procedure - Establish (and implement as needed) procedures for obtaining necessary electronically protected health information during an emergency.