Description:
The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. S3 Block Public Access settings override these policies and permissions so that you can limit public access to these resources.
Rational:
With S3 Block Public Access, account administrators and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created. When Amazon S3 evaluates whether an operation is prohibited by a block public access setting, it rejects any request that violates an access point, bucket, or account setting.
Impact:
When you apply block public access settings to an account, the settings apply to all AWS regions globally. The settings might not take effect in all regions immediately or simultaneously, but they eventually propagate to all regions.
Default Value:
By default, S3 Bucket public read access is disabled.
Pre-requisite:
Sign in as an admin or IAM user with the required permissions
Remediation:
Test Plan:
Step 1: Sign in to the AWS Management Console.
Step 2: Open the S3 dashboard at https://console.aws.amazon.com/s3/.
Step 3: Select the S3 bucket that you want to examine.
Step 4: Click the Permissions tab.
Step 5: In the Access Control List (ACL) section, a grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Everyone" is an AWS predefined group that allows access to everyone (i.e. anonymous users). If the bucket ACL configuration does specify the "Everyone" predefined group with the List (READ) permission enabled:
The selected S3 bucket is publicly accessible for content listing .
CLI Commands
To know the public access
aws s3api get-public-access-block \
--bucket my-bucket
Implementation Steps :
Step 1: Sign in to the AWS Management Console.
Step 2: Open the S3 dashboard at https://console.aws.amazon.com/s3/.
Step 3: Select the S3 bucket that you want to modify
Step4: Click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Everyone". uncheck-the-list-read-permission-applied-to-everyone
Step5: Uncheck the List (READ) permission applied to "Everyone"
Step6: Click Save to apply the new ACL configuration and remove the bucket public READ (LIST) access.
Using AWS CLI:
To make the private
aws s3api put-bucket-acl
--bucket cc-production-access-logs
--acl private
Backout plan:
To revoke the changes made, do follow steps 1-4 in the implementation section, and step5 check the-list-read-permission-applied-to-everyone
Using AWS CLI:
To make it public
aws s3api put-bucket-acl
--bucket cc-production-access-logs
--acl public
References:
Blocking public access to your Amazon S3 storage - Amazon Simple Storage Service