Profile Applicability:

  • Level 2

Description:
Amazon S3 Access Points simplify managing data access at scale for shared datasets in S3. However, to prevent unauthorized access and ensure data security, it is essential to enable Block Public Access Settings on all S3 Access Points. Enabling these settings ensures that no public access is allowed to the data through these access points, even if the data is shared across multiple users or applications.

Rationale:
Enabling Block Public Access Settings on S3 Access Points ensures that the datasets are not exposed to unauthorized access. This is particularly important to prevent accidental or malicious data leaks, as well as ensuring compliance with security best practices and regulatory requirements (e.g., GDPR, HIPAA). By blocking public access, you reduce the risk of exposing sensitive information and maintain tighter control over who can access your S3 data.

Impact:
 Pros:

  • Prevents public access to sensitive data, ensuring compliance with security policies.

  • Ensures data protection and confidentiality by blocking any unauthorized public access.

  • Reduces the risk of security incidents related to exposed data in S3.

  • Simplifies management of access controls across multiple users and applications.

Cons:

  • Could interfere with legitimate use cases where public access to certain data through access points is required (e.g., public datasets or websites).

  • May require additional configurations for services or applications that need public access to specific data.

Default Value:
By default, Block Public Access Settings are not enabled on S3 Access Points. These settings must be manually configured to prevent public access.

Pre-requisites:

  • AWS IAM permissions to configure S3 Access Point settings:
     s3control:PutAccessPointPolicy
     s3control:GetAccessPoint

  • Access to the S3 Access Point configurations.

Remediation:

Test Plan:

Using AWS Console :

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Access Points from the left-hand menu.

  3. Choose the Access Point for which you want to verify the public access settings.

  4. Under the Permissions tab, review the Block Public Access Settings section.

  5. Ensure that the following settings are enabled:

    • Block all public access to this access point and its resources

    • Block public access from any public policies

    • Block public access from any access control lists (ACLs)

    • Ignore public ACLs

  6. If the settings are not enabled, click Edit, enable the required block public access settings, and save the changes.

Using AWS CLI 

  1. List all S3 Access Points:

    aws s3control list-access-points --account-id <ACCOUNT_ID>

  2. For each access point, check the current public access block configuration:

    aws s3control get-access-point-policy --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME>

  3. If public access block settings are not configured, enable them by running:

    aws s3control put-access-point-policy --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME> --block-public-access "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  4. Verify the updated configuration:

    aws s3control get-access-point-policy --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME>

Implementation Plan:

Using AWS Console :

  1. Open the S3 Console and navigate to Access Points.

  2. Choose the desired access point and go to the Permissions tab.

  3. Under Block Public Access Settings, ensure that all options to block public access are enabled.

  4. Save the changes to block all public access for the selected access point.

Using AWS CLI :

  1. To enable the Block Public Access settings for an access point, run the following command:

    aws s3control put-access-point-policy --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME> --block-public-access "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

  2. Verify the changes by running:

    aws s3control get-access-point-policy --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME>

Backout Plan:

Using AWS Console:

  1. If enabling the Block Public Access settings causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3 and select Access Points.

  3. Choose the Access Point, go to the Permissions tab, and click Edit.

  4. Disable the Block Public Access settings to allow public access if required.

  5. Save the changes and monitor the Access Point to ensure that access works as expected.

Using AWS CLI:

  1. To revert the Block Public Access settings, run:

    aws s3control put-access-point-public-access-block --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME> --public-access-block-configuration '{

  "BlockPublicAcls": false,
  "IgnorePublicAcls": false,
  "BlockPublicPolicy": false,
  "RestrictPublicBuckets": false

}'

  1. Verify that public access settings are now disabled:

    aws s3control get-access-point-public-access-block --account-id <ACCOUNT_ID> --name <ACCESS_POINT_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that S3 Access Points are configured to block all public access unless specifically required for operational purposes.

7.1

8.1

Enable Block Public Access settings for all S3 Access Points to ensure that sensitive data is not exposed to unauthorized users.