Profile Applicability:

  • Level 2

Description:
Amazon S3 Multi-Region Access Points provide a global routing mechanism for S3 requests, enabling seamless data access across multiple regions. These access points allow users to access S3 data in different AWS regions through a single endpoint. However, to maintain a secure environment, it is important to ensure that Block Public Access Settings are enabled on Multi-Region Access Points. This ensures that no public access can be granted to the resources managed through the Multi-Region Access Points, thus reducing the risk of accidental exposure of sensitive data.

Rationale:
Enabling the Block Public Access Settings ensures that no unintended public access can be granted to S3 buckets or objects accessible through Multi-Region Access Points. This helps prevent the accidental exposure of sensitive data, ensuring that only authorized users and applications have access to the data. Public access to Multi-Region Access Points could lead to security vulnerabilities, data breaches, or non-compliance with regulatory requirements.

Impact:
 Pros:

  • Prevents accidental public access to data managed by Multi-Region Access Points.

  • Enhances the security of S3 data by ensuring only authorized access.

  • Helps comply with data protection regulations such as GDPR, HIPAA, and SOC 2.

  • Ensures proper access controls are in place for all regions, preventing inconsistent security settings.

Cons:

  • May require additional configuration and management if public access is needed for specific use cases.

  • Could complicate access control management if public access is needed for legitimate purposes, requiring the use of signed URLs or other access mechanisms.

Default Value:
By default, Multi-Region Access Points do not have Block Public Access Settings enabled. These settings must be explicitly configured to block all public access.

Pre-requisites:

  • AWS IAM permissions to configure Multi-Region Access Points and public access settings:
    s3control:PutMultiRegionAccessPoint
     s3control:GetMultiRegionAccessPoint

  • Access to configure the Multi-Region Access Point settings.

Remediation:

Test Plan:

Using AWS Console :

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Multi-Region Access Points from the left-hand menu.

  3. Select the Multi-Region Access Point you want to check.

  4. Under the Block Public Access settings section, verify if the following options are enabled:

    • Block all public access to this access point and its resources

    • Block public access from any public policies

    • Block public access from any access control lists (ACLs)

  5. If these settings are not enabled, click Edit, enable the required public access block settings, and save the changes.

Using AWS CLI :

  1. List all Multi-Region Access Points:

    aws s3control list-multi-region-access-points --account-id <ACCOUNT_ID>

  2. For each Multi-Region Access Point, check the current Block Public Access settings:

    aws s3control get-multi-region-access-point --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME>

  3. If Block Public Access settings are not enabled, run the following command to enable them:

    aws s3control put-multi-region-access-point --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME> --block-public-access "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  4. Verify the settings are updated:

    aws s3control get-multi-region-access-point --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME>

Implementation Plan:

Using AWS Console :

  1. Open the S3 Console and select Multi-Region Access Points.

  2. Choose the Multi-Region Access Point you want to configure.

  3. Under Block Public Access, enable the settings to block all public access and restrict public access to any resources managed through the access point.

  4. Save the changes and verify that public access is now blocked for the Multi-Region Access Point.

Using AWS CLI:

  1. Run the following command to enable Block Public Access settings:

    aws s3control put-multi-region-access-point --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME> --block-public-access "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  2. Verify the changes by running:

    aws s3control get-multi-region-access-point --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME>

Backout Plan: 

Using AWS Console:

  1. If blocking public access causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3 and select the Multi-Region Access Point.

  3. Click Edit and disable Block Public Access Settings to allow public access if required.

  4. Save the changes and monitor the access point to ensure it functions as expected.

Using AWS CLI:

  1. To disable Block Public Access Settings, run:

    aws s3control put-public-access-block --account-id <ACCOUNT_ID> --bucket <MULTI_REGION_ACCESS_POINT_NAME> --public-access-block-configuration '{

  "BlockPublicAcls": false,
  "IgnorePublicAcls": false,
  "BlockPublicPolicy": false,
  "RestrictPublicBuckets": false

}'

  1. Verify that public access is now allowed:

    aws s3control get-public-access-block --account-id <ACCOUNT_ID> --bucket <MULTI_REGION_ACCESS_POINT_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that Multi-Region Access Points are protected by Block Public Access settings to prevent accidental exposure.

7.1

8.1

Restrict public access to Multi-Region Access Points to ensure that only authorized users can access data across regions.