Profile Applicability

  • Level 1

Description:

The Block Public Access feature in Amazon S3 helps prevent accidental exposure of data to the public internet. This feature is designed to block all public access to S3 buckets and objects, ensuring that sensitive or internal data stored in S3 is not publicly accessible. Enabling Block Public Access ensures that new and existing objects are protected from being publicly exposed via misconfigured bucket policies or ACLs (Access Control Lists).

By configuring this feature, organizations ensure that their S3 buckets and objects are not inadvertently made publicly accessible, providing an additional layer of security against unauthorized access.

Rationale:

Enabling Block Public Access in Amazon S3 provides the following benefits:

  • Prevents accidental exposure: Reduces the risk of accidentally exposing sensitive data by misconfiguring bucket policies or ACLs.

  • Improved security posture: Prevents unauthorized access to data stored in S3, which could otherwise lead to data breaches or leaks.

  • Compliance: Meets security requirements for data protection that require restricting public access to storage resources (e.g., HIPAA, PCI-DSS).

Without this feature, buckets and objects might be publicly exposed unintentionally, potentially leading to security incidents or non-compliance with data protection standards.

Impact:

Failure to enable Block Public Access for S3 can result in:

  • Unauthorized access to sensitive or internal data stored in S3.

  • Exposure of confidential data to the public, leading to data breaches or leaks.

  • Non-compliance with regulatory standards that require restricting public access to storage systems.

Enabling this feature ensures that all S3 buckets are secure from accidental exposure to the public internet.

Default Value:

By default, the Block Public Access feature is not enabled for new S3 buckets. It must be explicitly configured to ensure that public access is blocked for new and existing S3 buckets.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • s3:GetBucketPolicy

    • s3:PutBucketPolicy

    • s3:GetBucketAcl

    • s3:PutBucketAcl

  • AWS S3 bucket should be available for modification

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the S3 Console.

  2. Select the S3 bucket and check the Permissions tab.

  3. Verify that Block Public Access is enabled. This should be configured as Block all public access.

  4. Ensure that the settings are saved to ensure that no public access is allowed to the S3 bucket.

Using AWS CLI :

To check if Block Public Access is enabled for a bucket:

aws s3api get-bucket-policy-status --bucket <bucket-name> --query "PolicyStatus.IsPublic" --output table


To verify if the Block Public Access settings are configured:

aws s3api get-bucket-policy-status --bucket <bucket-name> --query "PolicyStatus.IsPublic" --output table
Implementation Plan:

Using AWS Console:

  1. Enable Block Public Access for an S3 bucket:

    • Go to the S3 Console.

    • Select the S3 bucket you want to configure.

    • Navigate to the Permissions tab, then click on Block public access.

    • Enable Block all public access and save the changes.

  2. Verify that Block Public Access is enabled:

    • In the Permissions tab, ensure that all four options under Block public access (bucket settings) are enabled.

Using AWS CLI:

  1. Enable Block Public Access for an S3 bucket:

aws s3api put-bucket-policy --bucket <bucket-name> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::<bucket-name>/*","Condition":{"StringEquals":{"aws:PrincipalAccount":"<account-id>"}}}]}'

  1. Verify Block Public Access settings:

aws s3api get-bucket-policy-status --bucket <bucket-name> --query "PolicyStatus.IsPublic" --output table


Backout Plan:

Using AWS Console:

  1. If enabling Block Public Access causes issues with legitimate access:

    • Go to the S3 Console.

    • In the Permissions tab, disable Block all public access.

    • Review the public access settings and adjust the permissions accordingly to allow legitimate access while restricting public exposure.

  2. Modify S3 bucket policies to ensure that only authorized users or applications have access to the bucket.

Using AWS CLI:

  1. Temporarily disable Block Public Access:

aws s3api put-bucket-policy --bucket <bucket-name> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::<bucket-name>/*"}]}'

  1. Stop S3 bucket modifications if necessary:

aws s3api put-bucket-policy-status --bucket <bucket-name> --query "PolicyStatus.IsPublic" --output table

  1. Re-enable Block Public Access once issues are resolved:

aws s3api put-bucket-policy-status --bucket <bucket-name> --query "PolicyStatus.IsPublic" --output table


References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services