Profile Applicability:

Level 1

Description:

Amazon S3 provides Block Public Access settings at both:
1. Bucket level (Prevents individual S3 buckets from being publicly accessible).
2. Account level (Prevents all S3 buckets in the AWS account from being publicly accessible).

By default, new S3 buckets are private. However, IAM policies or bucket policies can accidentally expose data to the public.

Rationale:

  • Prevents accidental data leaks by restricting public access.

  • Blocks misconfigured IAM or bucket policies from making objects public.

  • Helps achieve compliance with GDPR, HIPAA, SOC 2, PCI-DSS, and CIS controls.

  • Reduces attack surface, protecting sensitive company data from unauthorized access.

Impact:

  • Applies globally across all AWS Regions.

  • Blocks new public ACLs and bucket policies from making data publicly accessible.

  • Can break existing workflows if applications rely on public S3 access.

Default Value:
By default:

  • S3 buckets do NOT have public access.

  • Block Public Access settings are NOT enabled automatically.

  • Users can manually allow public access through bucket policies or ACLs.

Pre-Requisites:

  1. IAM permissions to modify S3 bucket and account settings

    • s3:PutAccountPublicAccessBlock, s3:GetAccountPublicAccessBlock, s3:PutBucketPublicAccessBlock, s3:GetBucketPublicAccessBlock

  2. AWS CLI installed (for automation)

  3. List of all S3 buckets in the account

Remediation:

Test Plan:

Using AWS Console

  • Check Bucket-Level Block Public Access

  1. Log in to the AWS Console → Open Amazon S3 Console: S3 Console

  2. Select an S3 bucket

             

  1. Click Permissions → Block Public Access

         

               

  1. Ensure that the following are enabled (checked):

    • Block all public access

    • Block public ACLs

    • Block public bucket policies

    • Restrict public bucket access

       

  • Check Account-Level Block Public Access

  1. Log in to the AWS Console → Open Amazon S3 Console

  2. Click "Block Public Access (account settings)"

             

  1. Ensure that the following are enabled (checked):

    • Block all public access

    • Block public ACLs

    • Block public bucket policies

    • Restrict public bucket access

         

 If these settings are unchecked, proceed with remediation.

Using AWS CLI

Step 1: List All S3 Buckets

aws s3 ls

This will list all S3 buckets in your AWS account.

Step 2: Check Public Access Settings for Each Bucket

aws s3api get-public-access-block --bucket <bucket-name>

 Expected Output (If Block Public Access is enabled):

{
    "PublicAccessBlockConfiguration": {
        "BlockPublicAcls": true,
        "IgnorePublicAcls": true,
        "BlockPublicPolicy": true,
        "RestrictPublicBuckets": true
    }
}

Step 3: Check Account-Wide Public Access Settings

aws s3control get-public-access-block --account-id <AWS_ACCOUNT_ID>


Expected Output (If Account-Level Block Public Access is enabled):

{
    "PublicAccessBlockConfiguration": {
        "BlockPublicAcls": true,
        "IgnorePublicAcls": true,
        "BlockPublicPolicy": true,
        "RestrictPublicBuckets": true
    }
}

Implementation Steps:

Using AWS Console

For a Specific S3 Bucket:

  1. Log in to the AWS Console → Open Amazon S3 Console

  2. Select an S3 bucket

                 

  1. Click Permissions → Edit Public Access Settings

                    

  1. Check all boxes:

    •  Block all public access

    •  Block new public ACLs

    •  Block public bucket policies

    •  Restrict public bucket access

                   

  1. Click Save

                   

  • Repeat for all S3 buckets.
  • For All S3 Buckets in an AWS Account:

  1. Log in to the AWS Console → Open Amazon S3 Console

  2. Click Block Public Access (account settings)

           

  1. Check all boxes:

    •  Block all public access

    •  Block new public ACLs

    •  Block public bucket policies

    •  Restrict public bucket access

             

  1. Click Save

             

  •  Now, NO S3 bucket in your AWS account can be made public.

Using AWS CLI

For a Specific S3 Bucket:

aws s3api put-public-access-block --bucket <bucket-name> \
--public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

This blocks all public access to the specified S3 bucket.

For All S3 Buckets in an AWS Account:

aws s3control put-public-access-block \
--account-id <AWS_ACCOUNT_ID> \
--public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

This enforces account-wide "Block Public Access" settings.


Backout Plan:

If certain S3 buckets must remain public for business purposes, selectively disable restrictions.
For a Specific S3 Bucket:

aws s3api delete-public-access-block --bucket <bucket-name>

Removes the restriction for that bucket only.


References: