Description: 

The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. S3 Block Public Access settings override these policies and permissions so that you can limit public access to these resources.


Rationale: 

S3 Block Public Access, account administrators, and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created.

When Amazon S3 receives a request to access a bucket or an object, it determines whether the bucket or the bucket owner's account has a block public access setting applied. If the request was made through an access point, Amazon S3 also checks for block public access settings for the access point. If there is an existing block public access setting that prohibits the requested access, Amazon S3 rejects the request.


Impact:

Allowing public access to the Amazon S3 bucket allows any Internet user to view, download, modify, and delete S3 objects without restrictions. Exposing your S3 bucket to the public internet can result in data breaches, data loss, and unexpected charges to your AWS account.


Default value:

  1. when you create or select any S3 bucket the default value will be.


Pre-Requisite:

  1. You must have at least one S3 bucket.


Remediation:


Test plan:

  1. Sign in to the AWS Management Console

  2. Navigate to S3 dashboard S3 Management Console (amazon.com)

  3.  Select the bucket in which you want to change access permissions.

  4. Click on permissions.

  5. Under the permissions tab, we can find whether the S3 bucket is public or private 6.If the S3 bucket is public accessible then we need to follow the implementation steps.


Implementation:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#Home:

  2. Click on the services.


3. click on the S3 storage.


4. Open the bucket in which you want to change access permissions. 

5. Click on permissions.


6. Click on Edit.


7. Enable the check block of all public access.

 

8. Click on Save changes.


Using AWS CLI:


The following put-public-access-block example toggles all block public access settings to true for the specified account.

aws s3api put-public-access-block \
    --bucket my-bucket \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"


Backup plan:

  1.  Sign in to the AWS Management Console and open the Amazon S3 console at https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#Home:

  2. Click on the services.

  3. Click on the S3 storage

  4.  Open the bucket in which you want to change access permissions.

 

5. Click on permissions.

6. Click on Edit.

7. Uncheck the Block of all public access.


8. Click on Save changes.


Note:
An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. This means that after a bucket is created, the name of that bucket cannot be used by another AWS account in any AWS Region until the bucket is deleted. You should not depend on specific bucket naming conventions for availability or security verification purposes.

 

Reference:

Creating a bucket - Amazon Simple Storage Service 

put-public-access-block — AWS CLI 1.22.68 Command Reference