Description:
Ensure that the S3 Block Public Access feature is enabled for your AWS account to restrict public access to all your S3 buckets, including those that you create in the future. This feature has the ability to override existing policies and permissions in order to block S3 public access and to make sure that this type of access is not granted to newly created buckets and objects. When configuring Amazon S3 Block Public Access, you have two options for managing public ACLs and two for managing public bucket policies:
Manage public Access Control Lists (ACLs):
Block new public ACLs and uploading public objects (Block Public Acls)
Remove public access granted through public ACLs (Ignore Public Acls)
2. Manage public S3 bucket policies:
Block new public bucket policies (Block Public Policy)
Block public and cross-account access to buckets that have public policies (Restrict Public Buckets)
Rational:
Amazon S3 service is used for web hosting or public data repositories within your AWS account, blocking public access to all your S3 data will serve as an account-level guard against accidental public exposure
Impact :
To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access. These settings apply account-wide for all current and future buckets. With a few clicks in the S3 management console, you can apply S3 Block Public Access to every bucket in your account – both existing and any new buckets created in the future.
Default Value:
By default, In order to ensure that public access to all your S3 buckets and objects is blocked, turn on Block all public access
Audit :
Step1: Sign in to the AWS Management Console.
Step2: Navigate to S3 dashboard at https://console.aws.amazon.com/s3/
Step3:In the left navigation panel, choose Public access settings for this account.
Step4:On the Public access settings for this account page, check the configuration status for all the settings available under Manage public access control lists (ACLs) and Manage public bucket policies. If the configuration status for all the settings, i.e. Block new public ACLs and uploading public objects, Remove public access granted through public ACLs, Block new public bucket policies, Block public and cross-account access to buckets that have public policies, is set to False, the Amazon S3 Block Public Access feature is not enabled in your AWS account, therefore public access is not currently restricted for S3 data protection at the AWS account level.
Remediation:
Pre-Requisite:
Sign in as a Admin or IAM user with required permissions
Implementation Steps:
Using AWS Console:
Step:01 Sign in to AWS Management Console.
step:02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
Step:03 In the left navigation panel, choose Public access settings for this account to access the S3 Public Access Block feature configuration page.
Step:04 On the configuration page, under Public access settings for this account, click Edit to enter the feature's edit mode.
Step:05 To enable Amazon S3 Public Access Block, select all four configuration settings:
and click the Save button from the top-right menu. These access settings are applied to all your existing S3 buckets and also to those that you create in the future.
Step:06 Within Edit public access settings for this account dialog box, type confirm in the required box, then click Confirm to apply the changes.
Using AWS CLI:
aws s3control put-public-access-block --region us-east-1 --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true --account-id 123456789012
Back out Plan:
If you want to revoke the changes you made do follow the steps 1to5 in the Implementation section and restrict Amazon S3 public access for other Amazon Web Services (AWS) accounts.
References:
1.https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
2.https://docs.aws.amazon.com/cli/latest/reference/s3control/get-public-access-block.html
3.https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html