Profile Applicability:

  • Level 1

Description:
Amazon S3 allows for bucket-level public access block settings that prevent the exposure of data to the public. These settings ensure that no objects or permissions are publicly accessible in the bucket unless explicitly allowed. The Bucket Level Public Access Block is essential to prevent accidental or unauthorized exposure of sensitive data to the public, helping to enforce security policies and best practices for S3 bucket management.

Rationale:
Enabling the S3 Bucket Level Public Access Block ensures that the contents of your S3 buckets are not accessible by the public or by any unauthorized user. This feature reduces the risk of data breaches, accidental exposure, and ensures that sensitive information is protected from unauthorized access. This setting should be enabled on all buckets unless there is a specific need for public access, which should be granted only through controlled methods (e.g., signed URLs, IAM policies).

Impact:
 Pros:

  • Prevents accidental or unauthorized public access to S3 buckets and objects.

  • Ensures data security and privacy by blocking all public access by default.

  • Helps with compliance to data protection regulations (e.g., GDPR, HIPAA, SOC 2).

  • Reduces risk of exposure to unauthorized users or services.

Cons:

  • Can interfere with legitimate use cases where public access to certain objects or buckets is required.

  • May require additional configuration for specific use cases where public access is needed, such as public websites or content distribution.

Default Value:
By default, S3 buckets do not have public access block settings enabled. These settings need to be explicitly configured to block public access at the bucket level.

Pre-requisites:

  • AWS IAM permissions to manage S3 bucket settings:
    s3:PutBucketPublicAccessBlock
     s3:GetBucketPublicAccessBlock

  • Access to the S3 bucket configuration to review the public access settings.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket you want to check.

  4. Under the Permissions tab, review the Block Public Access (Bucket Settings) section.

  5. Ensure that the following settings are enabled:

    • Block all public access to this bucket and its objects

    • Block public access granted through any bucket or access point policies

    • Block public access granted through any access control lists (ACLs)

    • Ignore public ACLs

  6. If any of these settings are not enabled, click Edit, enable the required public access block settings, and save the changes.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check the current public access block configuration:

    aws s3api get-bucket-public-access-block --bucket <BUCKET_NAME>

  3. If public access block settings are not configured or need to be modified, run the following command to enable all public access block settings:

    aws s3api put-bucket-public-access-block --bucket <BUCKET_NAME> --public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  1. Verify the updated configuration:

    aws s3api get-bucket-public-access-block --bucket <BUCKET_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select Buckets.

  2. Choose the desired bucket and go to the Permissions tab.

  3. In the Block Public Access (Bucket Settings) section, ensure that all options to block public access are enabled.

  4. Save the changes to block all public access for the selected bucket.

Using AWS CLI:

  1. To enable Block Public Access at the bucket level, run the following command:

    aws s3api put-bucket-public-access-block --bucket <BUCKET_NAME> --public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  1. Verify the changes by running:

    aws s3api get-bucket-public-access-block --bucket <BUCKET_NAME>

Backout Plan: 

Using AWS Console:

  1. If the Bucket Level Public Access Block causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3 and select the bucket to modify.

  3. Click Edit and disable the Block Public Access settings to allow public access.

  4. Save the changes and monitor the bucket to ensure it functions as expected.

Using AWS CLI:

  1. To revert the Bucket Level Public Access Block, run:

    aws s3api put-bucket-public-access-block --bucket <BUCKET_NAME> --public-access-block-configuration '{

  "BlockPublicAcls": false,
  "IgnorePublicAcls": false,
  "BlockPublicPolicy": false,
  "RestrictPublicBuckets": false

}'

  1. Verify that the public access settings are now disabled:

    aws s3api get-bucket-public-access-block --bucket <BUCKET_NAME>


Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that public access is blocked for all S3 buckets unless explicitly required for operational purposes.

7.1

8.1

Enable Block Public Access settings on all S3 buckets to prevent unauthorized access and ensure the security of your data.