Profile Applicability:

  • Level 2

Description:
Amazon S3 allows the configuration of Account-level Public Access Block to prevent the accidental or unauthorized exposure of data to the public. This feature is essential for ensuring that no S3 bucket within the account is publicly accessible unless explicitly configured. By enabling the account-level public access block, you can enforce stricter policies that prevent public access to all S3 buckets and objects, including those that may inherit bucket permissions from the account.

Rationale:
Enabling the Account Level Public Access Block helps to reduce the risk of accidental data exposure. By ensuring that public access is blocked at the account level, organizations can implement a secure and consistent access control policy for all S3 buckets, reducing the likelihood of data leaks. This feature helps organizations maintain compliance with data protection regulations such as GDPR, HIPAA, and SOC 2.

Impact:
 Pros:

  • Ensures that no S3 bucket or object is publicly accessible unless explicitly configured.

  • Prevents accidental exposure of sensitive or confidential data.

  • Enhances the overall security posture by ensuring consistent public access controls across all buckets.

  • Simplifies managing access to S3 buckets by applying a global setting to the account.

Cons:

  • Could interfere with legitimate use cases where public access to certain S3 buckets or objects is required.

  • May require updates to existing permissions if public access is needed for specific buckets or objects.

Default Value:
By default, Account Level Public Access Block is not enabled. It must be manually configured via the S3 settings to block public access at the account level.

Pre-requisites:

  • AWS IAM permissions to manage S3 bucket settings:
         s3:PutAccountPublicAccessBlock
     s3:GetAccountPublicAccessBlock

  • Access to the AWS Management Console or CLI for managing account-level public access settings.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3.

  3. In the S3 Dashboard, select Account Settings from the left-hand menu.

  4. Under the Public Access Block settings, verify that all options for Block all public access are enabled:

    • Block public access to buckets and objects granted through new public bucket or access point policies

    • Block public and cross-account access to buckets and objects through any access control lists (ACLs)

    • Block public access to buckets and objects granted through any public bucket policies

    • Ignore public ACLs

  5. If any of these settings are not enabled, click Edit, enable the appropriate options, and save the changes.

Using AWS CLI:

  1. Check the current public access block configuration for the account:

    aws s3api get-account-public-access-block

  2. The output will display the current status of the public access block settings for the account.

  3. If public access block is not fully enabled, enable it using the following command:

    aws s3api put-account-public-access-block --public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  1. Verify the changes:

    aws s3api get-account-public-access-block

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and navigate to Account Settings.

  2. Under Public Access Block, ensure that all settings are enabled to block public access at the account level.

  3. Enable the settings if any are disabled, then click Save Changes to apply the new configuration.

Using AWS CLI:

  1. To enable the Public Access Block at the account level, use the following command:

    aws s3api put-account-public-access-block --public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  1. Verify that the block settings are now configured by using:

    aws s3api get-account-public-access-block

Backout Plan: 

Using AWS Console:

  1. If the account-level public access block causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3 and select Block Public Access under Account Settings.

  3. Click Edit and disable the settings to allow public access if needed.

  4. Save the changes and verify that public access is allowed for the buckets as per your requirements.

Using AWS CLI:

  1. To disable the account-level public access block, run:

    aws s3api put-account-public-access-block --public-access-block-configuration '{
  "BlockPublicAcls": false,
  "IgnorePublicAcls": false,
  "BlockPublicPolicy": false,
  "RestrictPublicBuckets": false
}'

  1. Verify that public access is now allowed:

    aws s3api get-account-public-access-block


Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that all S3 buckets are protected by an account-level public access block to prevent accidental exposure of data.

7.1

8.1

Configure public access block settings to restrict unauthorized access to S3 buckets and ensure compliance with security best practices.